Preventing Fraud Through Improved Access Management
While public disclosure of exactly what happened at Societe Generale is understandably limited, it appears that one trader was able to execute a series of massive transactions and hide them by turning off or manipulating surveillance systems, which would otherwise have flagged the transactions for further review. There is speculation that the trader was able to do this by combining previous knowledge of the surveillance applications with passwords borrowed from co-workers.
So what can we all learn from Societe Generale’s painful experience? Clearly, there are organisational lessons such as issues related to separation of duties, staff training and so forth – but we’ll leave those for another day; instead, this article will focus on several obvious technology lessons that need to be highlighted. If certain solutions and policies had been deployed at Societe Generale, this devastating trading incident could well have been prevented. The following section highlights some key prerequisites in the prevention of such fraud:
Organisations should identify toxic combinations of privileges that should never be assigned to a single user. Automation can be used to monitor actual user privileges and raise an alarm if a single user is inadvertently assigned such a combination.
As employees change jobs, their IT access requirements constantly change. Users ask IT to fix the problem when they cannot access needed applications and, as a result, users can start to collect privileges.
Periodic reviews of user privileges by managers and application owners enable organisations to spot excessive or obsolete rights and ask that they be removed. This sort of review can identify problems that automated policies never do, because it is just too hard to define an exhaustive set of policies.
It sounds simple, but if every user’s passwords changed regularly, then it would be too hard to share passwords. Most passwords should expire every three months or so, but passwords to sensitive applications should expire monthly, at the very least.
Unfortunately, changing passwords too often negatively impacts users, who have trouble remembering them, and might respond by writing them down, which completely defeats their purpose. Automation can help here too: password synchronisation can reduce the number of passwords that users must remember simultaneously and single sign-on can make it possible to change passwords very often (e.g. daily) while eliminating the need for users to remember and type them manually.
How would these measures have helped Societe Generale and, more importantly, how can they help your organisation? If internal controls were bypassed by sharing passwords, then regular password changes would have made this more difficult. If internal controls were violated by a trader having too many privileges at the same time, then either policies regarding segregation of duties or periodic reviews would have caught this toxic combination and alerted IT to correct it. In any case, the trader in question would not have been empowered to bypass the organisation’s controls.