Given that a full report on the events at Société Générale is not due until towards the end of May 2008, it is inappropriate to speculate too widely, writes Andrea Simmons, consultant forum manager at BCS Security Forum. But invariably in such situations, it emerges that an end-user has managed to bypass the existing controls and done so consistently for some time.
One of the lessons professional security consultants learn along the way is that whatever controls are put in place, there is always someone able to circumvent their best efforts. Almost to a fault, every investigation identifies that while a security policy may exist, and may say all the right things, the hacked organisation has insufficient monitoring and resources to audit systems and events thoroughly enough to identify trends and pick up instances like those that appear to have occurred in the Société Générale case.
Given that Société Générale apparently employs 2,000 people in its compliance department, the first question an outsider is going to ask is: what on earth were they doing?.
However, the term "compliance" has a hugely broad meaning and interpretation, and in banking, in particular, staff are involved in providing ongoing reporting evidence for compliance with legislation, such as Sarbanes-Oxley and Basel II. If a tickbox mentality governs these types of compliance activities, then the reasons for the need can be obscured in an activity that doesn't really live and breathe for those involved.
It's a big ask to expect people to appreciate that their actions and activities need to be monitored for their own sake as well as that of the organisation, but is one that an active information security awareness programme can help to embed. As ever, the prevailing culture remains an important aspect.
That said, the international standard for information security, ISO 27001, references all the controls required for a risk assessment, such as information system security (sections 10 and 12, specifically) and access code protection (section 11).
Management of password controls is also covered in section 11. Changes in user registration and deregistration and changes in a user's role are picked up in section 8. System monitoring is picked up in section 15. Knowledge that these are the areas to look in appears to come with a deep understanding of the intentions behind the standard, as well as time and regular usage.
Torpor at the top
Intermittently throughout the last six years, I've been working with software companies seeking to bring out dashboard compliance-type products. But consistently the market has not been mature enough to realise that this is what is required (at least to a point where a supplier could make a living out of it). Yet events like Société Générale continue to occur. Investigations take place, reports get written and shelved, but nothing happens.
It remains unclear what really should be the tipping point before large organisations understand the need for ongoing maintenance of the information security management system that invariably somebody has taken the time and trouble to build, but management hasn't seen fit to support in its entirety.