One of the suspected features of the Kerviel incident is that he was able to log on to the SocGen systems using others’ authentication credentials. It is interesting to note that, in an earlier version of the Mission Green Summary Report describing “Interim conclusions as of February 20, 2008,” there is the following statement:
“The investigation of potential access by [Kerviel] into IT systems using another person’s identity is currently ongoing.”
It is noteworthy that the final report appears to have omitted any reference to identity theft by Kerviel. I say “appears” because there are a number of mistranslations in the report, which reduce the accuracy of a search for particular references – in fact, the May 20 report uses the word “identity” when it should have used “identify.” However, that didn’t stop the press, blogs and others from assuming that this actually was the case, and that identity theft had occurred.
Another unverified factor was that Kerviel retained system access rights from his prior role in the back office even though they were no longer needed in his front-office role. If this were the case, he would therefore have been able to combine several duties, as it were. Again, the report does not specifically confirm this supposition, possibly because it is more focused on business processes than technical considerations.
Most attendees were not prepared to have infosec assume responsibility for the apparent inadequacies of the applications. I disagreed with this view, since I believe that infosec needs to be in on the initial design and development of systems, and subsequent review and testing, so that appropriate levels of data integrity, confidentiality and availability are introduced. Also user roles need to be clearly defined to achieve appropriate separation of duties and checks and balances. More sophisticated, but equally important, systems need to have reasonableness and validity checks built into them to highlight suspicious behavior. And, of course, procedures need to be in place and managed to enforce these requirements and respond to alerts. All of these seem to have been lacking in the SocGen case.
Popularity: 2%
