Identity and Access ManagementCase Study: How to play with 70 billion dollars?

Julien Bois

IAM Solution Architect

April 16th, 2019

What did you hear about this fraud?

Société Générale: Bigger than any Canadian Bank

French commercial bank with, in 2007:

- 150 000 employees

- 30 million clients

- 34 billion $ of income

End of 2007, Société Générale had:

- 35 billion of capital stock

- 7 billion of profit- 1.3 billion of profit

All amounts are in Canadian dollars

SG CIB : 3 jobs of an Investment Banker

Trader: Buy or sell shares

for bank’s corporate clients

Commissions

No risk

Own trading: Profit thanks

to knowledge of market

Market change

Risk limit: 175 millions

Arbitrageur: Use market

inefficiencies

Value differencies

No risk

Example of Arbitrage Operations

Successful arbitrage operation: TD Share between TMX and NYSE

Unauthorized directional position

CAD 62

1 share

USD 48CAD 64+ CAD 2

Instantly

January 2008

From 2 to 18

70,000,000,000 $ 61,000,000,000 $

From 21 to 23Futures

DAX 30

- 9,000,000,000 $

What would be IAM weaknesses that would let him fraud?

947 fictive operations to hide the risk taken by the bank

Intra-monthly provisions

Cancelled or updated transactions

Inexistent counterparts

Differed transactions

Indulgence and access to trading control

Internal move of Jérôme Kerviel :

- From: Control (Middle Office)

- To: Trading (Front Office)

Understanding deficiencies of

control teams

Indulgence from his

previous friends

Access conservation

to systems to follow controls

Proximity control failures

Trading assistant complicity

Lack of managerial oversight

Ignored warnings

- Volume increase

- Unusually high results

- EUREX Warnings

- Unusual cash needs

- Incoherent explanations

- Limit overtaking

- Refusal to take holidays

How IAM could have prevented this event to happen?

Focus 2010 Initiative , incorporated with Fighting Back

From 2007 to 2010

CAD 15 million

26 applications

Paris

2011 180

World100

Stream 1: POPS (Personal Organisation Provisioning Services)

Trustable source for identities

Business role management

Appropriate approval for new accesses

Access deactivation for leavers

Stream 1: Movers management

Segregation of duties

Access copy prohibited

Formalized exception procedure

Deactivation after moves

Stream 1: Business role implementation

Permissions and applicative profiles dictionary

Organizational business roles

Access sensibility evaluation

Stake holder accountability

Stream 1: UAR (User Account Review)

Real Time Access Data

Access Certification

Account Ownership

Access Deactivation Checks

Stream 2: TALC (Technical Account Life Cycle)

Access Approval

Privileged Account Management (BreakGlass)

Segregation between Account and Access

: Planned or Incident

Stream 2: Privileged access management

Ownership identification

Environment segregation

Accounts and privileges review

Access management delegation

Stream 4: Advanced Authentication Solutions

Sésame RTFE : Authentication, Authorization

Non-interactive password management

Strong authentication

Stream Ressources humaines

Position rotation

Mandatory holidays

Limits formalization

Control Team independence

Which of those initiatives look new ?

Conclusion about event caused by Jérome Kerviel

Very small personal gain

Fortuitous discovery

Luckless calendar

Dramatic consequences

Additional

readings

Green Report (in French):

www.lefigaro.fr/assets/pdf/GREEN.pdf

Initiative Fighting Back (in French):

www.societegenerale.com/sites/default/files/documents/Co

ntrol_messages_updated_final_2905.pdf

Cybersecurity – What is it?

Protect data on 3 aspects:

- Confidentiality

- Integrity

- Availability

Cybersecurity – Which certifications?

Certifications in cybersecurity:

- ISACA (CISA, CISM, …)

- ISC2 (CISSP, ISSAP, …)

- CompTIA (Security+, CASP, …)

- GIAC – SANS

- EC-Council (CEH, …)

- Vendors: Microsoft, Cisco,

Symantec, HP, Juniper, McAfee,

Red Hat, CA, AWS

15 Top-Paying IT Certifications for 2019 (Global Knowledge)

1. Google Certified Professional Cloud Architect - $139,529

2. PMP® - Project Management Professional - $135,798

3. Certified ScrumMaster® - $135,441

4. AWS Certified Solutions Architect - Associate - $132,840

5. AWS Certified Developer – Associate - $130,369

6. Microsoft Certified Solutions Expert (MCSE): Server Infrastructure - $121,288

7. ITIL® Foundation - $120,566

8. CISM - Certified Information Security Manager - $118,412

9. CRISC - Certified in Risk and Information Systems Control - $117,395

10.CISSP - Certified Information Systems Security Professional - $116,900

11.CEH - Certified Ethical Hacker - $116,306

12. Citrix Certified Associate - Virtualization (CCA-V) - $113,442

13.CompTIA Security+ - $110,321

Cybersecurity – How to learn ?

Training is available easily:

- Certifiers: SANS, EC-Council, CompTIA, …

- Books: Amazon, Ottawa Library, …

- Online: Udemy, Cybrary.it, Lynda, Pluralsight, …

- MOOC: edX, Coursera, FutureLearn, …

- Ottawa: Carleton, La Cité Collégiale, Algonquin, …

- Vendors: Microsoft, Symantec, CA Technologies, …

More info: www.cybersecuritymastersdegree.org