In January 2008, the name of Jérome Kerviel became famous. This second-rate French trader generated 5 billions € of losses to his bank, Société Générale. Jeremy Epstein uses this story to illustrate 13 lessons for security. His lessons have many common points with our 10 laws. Some of them are more original. My preferred ones are:
Lesson 1: “Low tech attacks are easier” and according to me often neglected.
Lesson 7: “Don’t believe every thing you read”. This lesson is true even out of the field of security. Trusted information is a difficult quest.
Nonlesson 11: “Insider attacks (usually) have motivation”
It is perhaps in the motivation space that the failure of Société Générale finds its root. The latest report highlights that the controlling mechanism of the traders did not work properly. We may question if it was not on purpose. At end December 2007, Jerome Kerviel generated 1.5 billions € for his bank. For that, he violated many rules. What would be the behavior of a controller who detects such violation which produces such huge benefits? (Being a second rate trader, Kerviel was not authorized for such huge investments). Is it not tempting for the management to close its eyes? This is another illustration of our law 9: Quid custodient ipsos custodies?
The paper is in the latest issue of IEEE security & privacy, may-june 2008. A good reading.
And you, which is your favorite lesson?