I’m feeling that I may have been unprecise in my post.

When I discovered the story, I was simply astonished. Then, I started to think about the reasons I could have happened. Lack of controls ? Seems not, the staff had to report daily about their operations. Lack of internal audits ? Seems not, thay had their own staff and they were trained. Lack of external audits ? Maybe, but I guess not.

The problem, as far as I know, is not that the controls weren’t present, but that they were documented in detail and that some people could know how to circumvent them. That’s one of the major failures. Although I’m not prone of security by obscurity, it’s obvious that if you give all the documents to attackers, there are more chances they’ll succedd in their forfeiture.

That was the reason why I mentioned that this guy now has chances to be hired by mafias or gvt agencies. He may not be a good trader, but as only few people are able to act, he behaved as a hacker. As Kevin Mitnick (or others), he isn’t the best but he’s got a different mind, he was able to see things differently.

One of the main concerns auditors (and security professionals) have, is that they are “narrow minded”. They have formal processes to audit, use standardized tools and methods, and most of the time aren’t able to settle into the mind that should be required in order to see “things that shouldn’t occur”.

A chief security officer will be good if he buy the latest security appliances, starts a 27001 certification and trains people.

A chief security officer will be brillant if, in addition, he can grasp the intruder’s mind and anticipate, by imaginating what, why, when, and how the intruder can act.

That’s what most audit teams cannot do… they aren’t trained to do so, they aren’t molded to act so.

Let’s compare with something totally different : Army. Traditional audit teams are like normal soldiers. They are trained to obey and fight (control) but they won’t be able to do anything when the ennemy is “abnormal”, like it’s more and more the case in asymetric wars and terrorism. To fight against terrorism, the only way is to train special forces, with extra knowledge that not only ables them to be stronger, but also and most of all ables them to “act like ennemies”, and think the same as them. This is the only way to gain victory.

In short, let’s summarize : audit teams and controls are useful, but they will only detect what they look for. If you want to “detect the undetectable”, you need a kind of “special forces” team that thinks like the ennemy to anticipate its moves…. Know your ennemy…

@bty, Ghost… This problem is not specific to french firms as you tend to say. I believe it’s common to all companies and structures.

Bruno, I’m not surprised when I discovered your post ! You’re very reactive!

The “fraud” reveals the deficiencies of organisation and internal controls. Which are both Achille’s heel of French firms! Sorry for my generalization but I saw many lack of procedures and deficiencies on accounting and financial departments! They don’t want to allocate money for organization and internal or external audits! (and not only for IT processes but also for human and technical organization)

Ghost’

PS : sorry for my bad english… If you want to correct me…