Introduction
Société Générale Bank was established in 1864 in France by a caucus of moguls and investors with the aim of improving and bolstering their commercial ventures. Over the years, the bank has tremendously improved its financial outlay. This has enabled it to extend its presence in many nations. Today, the bank is among the successful financial institutions globally.
The bank offers retail banking, savings schemes and intercontinental banking services. Thus, the bank handles thousands of varied transactions daily. Despite its success in the corporate arena, it has experienced a myriad of fraudulent cases which have affected its corporate profile and are likely to retard its future growth. This paper identifies and discusses the policies, vulnerabilities, risks and internal controls of Société Générale.
Fraudsters have pervaded the financial sector with the banking subsector being the hardest hit. It has been quite challenging to track fraudsters because they apply sophisticated technologies which banks cannot keep pace with. In simple terms, bank fraud refers to the unlawful mechanisms of accessing or being in possession of money or other properties that belong to a financial company. Bank fraud can also be practiced in form of receiving money from shareholders by purporting to be a genuine financial institution. Destabilization of the financial base of an organization is one the most devastating effects of fraud.
With reference to the banking sector, fraud can lead to a mass exodus of potential depositors who may no longer trust the bank with their savings. Second, fraud can cause serious liability to a bank; hence, culminating into a collapsed bank situation. Fraud in the bank can either be conducted by the staff or outsiders. In some cases, the two can conspire to siphon out assets and money from the bank.
“The most serious incidence of fraud that Société Générale has ever witnessed occurred on 24-1-2008, when Jérôme Kerviel (a single futures dealer) allegedly lost close to US$7.2 billion” (NBC News, 2008). This was the worst case of fraud the bank has suffered since its inception (CBS News, 2009). Kerviel is believed to have coordinated and executed a chain of fake transactions, which the bank could not trace.
The management of the bank revealed that Kerviel exploited every loophole to hack the computer operations at the bank. He mainly focused on tampering with security control systems to pave way for his illegal transactions. The changes Kerviel effected on the computer systems helped him to get rid of credit controls; hence, the risk personnel could not easily track his huge transactions.
He was also reported to have stolen the secret codes of his workmates that served at the trading section and department of technology. Kerviel possessed vast technical control procedures that enabled him to manipulate the security installations. Thus, he was able to access important information that was out of reach to many employees. Having served in the back office for roughly six years, Kerviel learnt how the control systems of the bank operated. Finally, he gained privileged access codes that he used to eliminate five control systems before executing his transactions.
An in-depth security analysis of the fraud incident revealed that lack of proper information control systems prompted the hacking of the privilege codeword. Privileged user accounts are one of the most secure IT venture settings, and are used to secure sensitive databases and servers.
The secret codes are “generic in character; they encompass, but are not restricted to generic accounts such as administrator on Wintel platforms, root on UNIX systems, and hard-coded passwords” (Bishop, 2009, p. 345). One disadvantage of this kind of data security system is that in case the secret code is revealed to many individuals, several operating systems can easily be hacked.
The bank was probably using a single security code to secure several systems. This kind of security system creates loopholes, which can easily be misused by fraudsters. System prowlers apply authentic codes to access systems just like privileged users. They like attacking systems because they are often secured using weak secret codes that can easily be conjectured or have remained unchanged for a long time. An application like Weblogic that is secured with embedded privileged secret codes has high chances of being hacked.
Reviewing Current Policies
The establishment of appropriate and reliable security policies at Société Générale needs a clear approach that will facilitate the identification of the current computer vulnerabilities. The status of the current security policies can be established by analyzing current documents and detecting parts of the system that lack appropriate policies. “The critical areas of the system that need to be reviewed include: physical access controls, network security policies, data security policies and contingency and disaster recovery plans and tests” (Gollmann, 2011, p. 123).
“In addition, documents that have confidential data like computer BIOS secret codes, router configuration secret codes and access control documents should also be reviewed” (Gollmann, 2011, p. 125). Examining the security requirements of Société Générale should also involve finding out the extent of its exposure to known threats. This analysis encompasses identifying the nature of the bank’s assets because they determine the type of risks it should be protected from.
It is also important to list the potential risks because it enables the security personnel to determine techniques such as email hacking and viruses that can be applied in the attack. Therefore, the security personnel at Société Générale Bank should improve their skills of tackling such challenges.
Improving Security Strategies
A good security system is supposed to include both proactive and reactive approaches. A proactive strategy has a number of procedures that mitigate potential security risks and build up emergency plans. Determining the destruction that an onslaught will cause on a given data assists in creating a strategy that is proactive. On the other hand, a reactive plan assists in examining the extent of damage on a system after it has been hacked. This helps in making decisions such as repairing the corrupted system or implementing emergency plans.
The first step towards securing the system is developing effective mechanisms for identifying potential risks and developing mechanisms to resist the potential risks. Start by securing the system against common threats. It is easier to prevent threats than to reconstruct the system after an attack.
All potential threats that may destabilize the system should also be scrutinized by the security administrators. These potential threats include malevolent prowlers, non wicked threats, and natural calamities. Consider all of the possible threats that cause attacks on systems. Most of the attacks are caused by employees.
Reactive Strategy
A reactive strategy could offer the best solution to deal with the fraud case at Société Générale because the proactive strategy failed to secure the system.
The reactive plan identifies the procedures that should be followed during and after intrusion. “This strategy detects the extent of the destruction caused and the loopholes that were taken advantage of in the attack, it establishes why it occurred, refurbish the spoilt systems, and execute an eventuality plan if available” (Pfleeger, 2008, p. 657). Reactive and proactive strategy work hand in hand to buildup security controls to mitigate intrusion and the destruction caused during such incidences.
Assess the Damage
Identify the destruction that occurred during the intrusion. This process should be executed very quickly so that reconstruction of the system can commence as soon as possible.
Establish the Source of the Damage
This can be achieved by analyzing the system logs because they give clue about the origin of the attack. System and audit logs can also be examined because they are also instrumental in tracing the source of an attack.
Repair the Damage
Reconstruction of the system should be done immediately after detecting the source of the attack to facilitate the execution of usual operations and whatever information misplaced during the interruption.
Document and Learn
Where feasible, all attack situations must be analyzed and documented to identify the most appropriate security steps and controls that can secure the system. The security group should handle cases such as insider attacks and viruses. Such efforts generate skills that a company can apply and data to give out before and after incidents.
In addition, the security team is supposed to examine any unfamiliar occurrence which may involve system controls. Documentation must encompass all the facets of the attack which can possibly be identified. Documentation will assist in adjusting proactive strategies for curbing potential intrusion or reducing destructions.
Implement Contingency Plan
If there is a contingency arrangement, it can be put into operation to avoid time wastage and to maintain business operations. In a situation whereby there is no emergency plan, create a suitable plan based on the evidence from the previous step.
Review Outcome
“Examining the outcome is important and should involve: loss in efficiency, information or mislaid, and the used to reorganize the system” (Pfleeger, 2008, p. 678). If possible, list the type of attack, its source, the mechanisms that were used to execute it, and the loopholes that were exploited.
Review Policy Effectiveness
If there are policies to guard against an intrusion that has occurred, they must be examined, reviewed and tested out for their efficiency. New polices must be created if they have not been used before to reduce potential attacks.
Amend Policy Properly
If the policy is of poor quality, it must be upgraded properly. Updating of polices should only be undertaken by an authorized personnel that deals with system securities. Moreover, a security policy can be configured in a manner that it only allows the users to access the system during the normal working hours. This reduces hacking incidences.
Conclusion
The security managers of Société Générale should determine the amount of time and resources that can enable them to create effective security controls. Apart from setting up an efficient security strategy, security auditors need to realize that security is a full time need in the organization. Hence, they should always update their security system regularly.