Damian Handzy is global head of risk and George Palmer is cloud security architect at StatPro, a London-based cloud provider of performance and risk analytics for the investment management industry.
Cyber criminals always seem one step ahead. At a recent Association of Luxembourg Funds Industry conference, attendees learned that 60% of cyber attacks take just a few hours to complete, but that 62% of these attacks take several months to discover. Given these timeframes, successful hackers appear to have plenty of time to do their damage. While many fund managers imagine that they make an uninteresting target compared with large banks and online payment systems, the data suggests otherwise. Increasing cyber-security regulations in the US and Europe also point to the increased threat recognised in our industry.
Asset managers, including hedge funds, are an especially interesting target because their high-net-worth investors represent the ideal target if a hacker employs a ‘follow the money' strategy: access to the identities of a fund's investors along with their banking and similar information can be very valuable. Not least on the list of concerns for fund managers should be reputation risk: if a fund's investors become victims of cyber-crime because of a breach in the fund's security practices, redemptions and lawsuits should not be unexpected.
Ransomware – software that hijacks a computer's contents threatening to destroy the data and its backup, if any, unless a ransom is paid – is becoming increasingly popular, especially as a way to attack high-net-worth individuals and small firms. More than 70% of ransomware victims report paying the ransom, making this a profitable and therefore popular form of cyber crime. A quick online search will reveal examples of asset managers who have suffered this experience.
Both US and European regulators are increasing requirements for fund managers to report incidences of cyber attacks because transparency can help fight the phenomenon. Such regulations clearly provide an incentive for fund managers to improve security while simultaneously arming them with the latest information about what form attacks may take.
An ironic aspect of cyber security is that the largest vulnerability point is not in the software or hardware, but rather the users. The human element has long been considered the weakest link: the administrative assistant who keeps the executive's passwords conveniently written down on the desk, the countless employees who use the same – or weak – password for all devices, sites and apps, and the amount of corporate data that walks out the door every day, unencrypted, on laptops and mobile devices the world over. To help identify areas of vulnerability within a firm, some have taken to self-phishing: attempting to lure employees into falling for popular cyber scams to identify which departments of the organisation would benefit most from increasing education about best cyber practices.
One thing is abundantly clear: cyber security is not just "an IT issue" because everyone who works on an online computer or uses a connected device can contribute both to the vulnerability or to the security of the firm. With that in mind, here are three top myths about cyber security.
Myth 1: Cloud security is a misnomer
The ‘cloud' is as old as the concept of internet security and is quite independent of the level of security: there are both secure and unsecure uses of the cloud. Commoditisation has brought about better scrutiny of security resulting in different types of clouds, with varying levels of security – public, private, community, hybrid. In each of these types, however, the levels of security and resilience depend more heavily on the use of standards and which security measures are implemented rather than on the type of cloud used. Bottom line: you can't rely on "the cloud" being secure, but you have to make your use of it secure.
Myth 2: Security innovation is too risky
While security budgets do not always align with the amount of risk, taking advantage of innovative technologies is often more beneficial than it is risky with one caveat: it has to be done right. In particular, ad-hoc stacks and protocol security extensions offer significant benefits. Indeed, a postmortem disclosed following a 72-hour distributed denial of service (DDoS) attack against the core network of a large "content delivery network" provider in 2013 reported zero downtime on its native IPv6 infrastructure during the outage. Version 6 of the internet protocol (IPv6) has been around for a long time but its deployment rate is slowly rising although transient implementations have become common. Initiatives such as DNSSEC are slowly gaining traction and are here to stay. DNSSEC is a suite of specifications for securing certain information such as origin authentication of domain name system (DNS) data, data integrity and authenticated denial of existence.
Myth 3: Ubiquitous high-grade encryption is the singular solution
Modern computation power has reached a level whereby high-grade encryption is the norm. According to a 2015 report from the SANS Institute, an IT security trainer, brute-force and crypto-side-channel attacks are falling in number while hackers' focus is shifting toward opportunistic exploitation. Brute-force attacks are targeted, usually automated, attempts to decode data by using a large number of password combinations while side-channel attacks are based on data gained from a particular implementation rather than any other derived or design flaw. Our focus, therefore, should be on auditable enforcement and authentication of encryption methods.
And here are three fundamental truths.
Truth 1: Reflection and multi-vector attacks make up the majority of attacks in the last two years
According to content network delivery provider Akamai's 2015 security report, 56% of all distributed DDoS attacks mitigated in the fourth quarter that year were multi-vectored, meaning they attacked multiple layers of vulnerability simultaneously. Think of antibiotic cocktails – attacking with two independent methods simultaneously is a lot harder to defend against.
There is a sector-based ‘vector-adjustment' trend – the financial and gaming sectors were mostly hit by repeat stresser/booter-based botnet DDoS attacks – a type of targeted denial of service attempts using systems or services specifically built for testing systems' resilience – while the retail sector was most frequently targeted in web application attacks – a 40% and 28% increase respectively compared with Q3 2015.
Truth 2: Perimeter complacency is on the rise
Due to the ever-increasing number of multi-tenanted clouds with global footprint, organisations put greater focus on perimeter (internal) network (DMZ) security and tend to underestimate internal risks. Think "your security is as good as your weakest link". In fact, as much as 20% of cyber attacks come from inside the organisation, usually because of lax controls and/or unenforced security and encryption policies.
Truth 3: Security requires a collective defence
According to a study carried out in 2014 by information security think-tank the Ponemon Institute, the highest security risk is at the application layer. In 2015, reflection denial-of-service-type attacks – where potentially legitimate third-party computers are used to send attack data traffic – were on the rise. Today well-funded multi-layer DDoS attacks are the norm, making the traditional, and often reactive, security defences inefficient.
Organisations should adopt a open system interconnection (OSI) granular model approach to security, complemented with analytics research, proactive threat intelligence and innovation.
The bottom line is that adopting consistent protocols between hardware and software layers allows for stronger security. Hackers' use of multi-pronged attacks can best be mitigated by defender's use of multi-pronged protection: a combination of compatible hardware, software, vigilance, education and consistent use of protocols.
Between these myths and realities, some things are clear: Fund managers are squarely in the cross-hairs: ‘follow the money' points directly to the financial services industry; cyber security is a high-tech endeavor with equally high stakes: it is critical to have experts on staff; and every member of an organisation is a potential weak link. We all have a role to play in securing our clients' information.
The week in Risk.net, May 19-25 2017Receive this by email