Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Identity and Access ManagementCase Study: How to play with 70 billion dollars?
Julien Bois
IAM Solution Architect
April 16th, 2019
What did you hear about this fraud?
Société Générale: Bigger than any Canadian Bank
French commercial bank with, in 2007:
- 150 000 employees
- 30 million clients
- 34 billion $ of income
End of 2007, Société Générale had:
- 35 billion of capital stock
- 7 billion of profit- 1.3 billion of profit
All amounts are in Canadian dollars
SG CIB : 3 jobs of an Investment Banker
Trader: Buy or sell shares
for bank’s corporate clients
Commissions
No risk
Own trading: Profit thanks
to knowledge of market
Market change
Risk limit: 175 millions
Arbitrageur: Use market
inefficiencies
Value differencies
No risk
Example of Arbitrage Operations
Successful arbitrage operation: TD Share between TMX and NYSE
Unauthorized directional position
CAD 62
1 share
USD 48CAD 64+ CAD 2
Instantly
January 2008
From 2 to 18
70,000,000,000 $ 61,000,000,000 $
From 21 to 23Futures
DAX 30
- 9,000,000,000 $
What would be IAM weaknesses that would let him fraud?
947 fictive operations to hide the risk taken by the bank
Intra-monthly provisions
Cancelled or updated transactions
Inexistent counterparts
Differed transactions
Indulgence and access to trading control
Internal move of Jérôme Kerviel :
- From: Control (Middle Office)
- To: Trading (Front Office)
Understanding deficiencies of
control teams
Indulgence from his
previous friends
Access conservation
to systems to follow controls
Proximity control failures
Trading assistant complicity
Lack of managerial oversight
Ignored warnings
- Volume increase
- Unusually high results
- EUREX Warnings
- Unusual cash needs
- Incoherent explanations
- Limit overtaking
- Refusal to take holidays
How IAM could have prevented this event to happen?
Focus 2010 Initiative , incorporated with Fighting Back
From 2007 to 2010
CAD 15 million
26 applications
Paris
2011 180
World100
Stream 1: POPS (Personal Organisation Provisioning Services)
Trustable source for identities
Business role management
Appropriate approval for new accesses
Access deactivation for leavers
Stream 1: Movers management
Segregation of duties
Access copy prohibited
Formalized exception procedure
Deactivation after moves
Stream 1: Business role implementation
Permissions and applicative profiles dictionary
Organizational business roles
Access sensibility evaluation
Stake holder accountability
Stream 1: UAR (User Account Review)
Real Time Access Data
Access Certification
Account Ownership
Access Deactivation Checks
Stream 2: TALC (Technical Account Life Cycle)
Access Approval
Privileged Account Management (BreakGlass)
Segregation between Account and Access
: Planned or Incident
Stream 2: Privileged access management
Ownership identification
Environment segregation
Accounts and privileges review
Access management delegation
Stream 4: Advanced Authentication Solutions
Sésame RTFE : Authentication, Authorization
Non-interactive password management
Strong authentication
Stream Ressources humaines
Position rotation
Mandatory holidays
Limits formalization
Control Team independence
Which of those initiatives look new ?
Conclusion about event caused by Jérome Kerviel
Very small personal gain
Fortuitous discovery
Luckless calendar
Dramatic consequences
Additional
readings
Green Report (in French):
www.lefigaro.fr/assets/pdf/GREEN.pdf
Initiative Fighting Back (in French):
www.societegenerale.com/sites/default/files/documents/Co
ntrol_messages_updated_final_2905.pdf
Cybersecurity – What is it?
Protect data on 3 aspects:
- Confidentiality
- Integrity
- Availability
Cybersecurity – Which certifications?
Certifications in cybersecurity:
- ISACA (CISA, CISM, …)
- ISC2 (CISSP, ISSAP, …)
- CompTIA (Security+, CASP, …)
- GIAC – SANS
- EC-Council (CEH, …)
- Vendors: Microsoft, Cisco,
Symantec, HP, Juniper, McAfee,
Red Hat, CA, AWS
15 Top-Paying IT Certifications for 2019 (Global Knowledge)
1. Google Certified Professional Cloud Architect - $139,529
2. PMP® - Project Management Professional - $135,798
3. Certified ScrumMaster® - $135,441
4. AWS Certified Solutions Architect - Associate - $132,840
5. AWS Certified Developer – Associate - $130,369
6. Microsoft Certified Solutions Expert (MCSE): Server Infrastructure - $121,288
7. ITIL® Foundation - $120,566
8. CISM - Certified Information Security Manager - $118,412
9. CRISC - Certified in Risk and Information Systems Control - $117,395
10.CISSP - Certified Information Systems Security Professional - $116,900
11.CEH - Certified Ethical Hacker - $116,306
12. Citrix Certified Associate - Virtualization (CCA-V) - $113,442
13.CompTIA Security+ - $110,321
Cybersecurity – How to learn ?
Training is available easily:
- Certifiers: SANS, EC-Council, CompTIA, …
- Books: Amazon, Ottawa Library, …
- Online: Udemy, Cybrary.it, Lynda, Pluralsight, …
- MOOC: edX, Coursera, FutureLearn, …
- Ottawa: Carleton, La Cité Collégiale, Algonquin, …
- Vendors: Microsoft, Symantec, CA Technologies, …
More info: www.cybersecuritymastersdegree.org