New York (HedgeCo.Net) – Guest post by Mary Beth Hamilton, vice president of marketing, Eze Castle Integration
Cyber-attacks are among the most pressing threats to global security. James Clapper, director of U.S. national intelligence, acknowledged these threats in a recent congressional address. His remarks emphasized the need for organizations of all types to prepare against potential intrusions, which may originate from criminal groups, governmental entities, insiders or “hacktivist” groups such as Anonymous.
For the investment management industry in particular, it is essential that managers take preventative measures to guard against cyber-attacks. The security threats currently facing the industry are targeted attacks – low volume, high value in nature. In these cases, attackers are well-informed regarding the victimized organization’s asset value, and desire to gain access to the data for their own benefit. They employ detailed plots to gather that information. They also take advantage of the fact that common defense mechanisms such as anti-virus software and firewalls are not preventative in nature, and can only identify threats that have already occurred.
There are several types of cyber-attacks of which investment management firms should be aware, including:
- Phishing scams: In a phishing scam, an employee opens an email which has been socially engineered to appear legitimate. Typically, the email requests information from the recipient, such as usernames, passwords and other critical security data.
- USB media devices: In this case, an infected USB drive is placed in a public space, with the intention that a well-meaning employee will plug it into his or her computer to discover who owns the device. Once plugged in, the device emits malware onto the network.
- Malware via drive-by download: This type of infection takes the form of a virus, spyware or malware. Drive-by downloads occur when a person downloads an infection, either knowingly or without understanding the consequences.
- Universal Plug & Play (UPnP): UPnP technology allows computers and other network-enabled devices to efficiently communicate with one another. Recently, UPnP devices have come into the spotlight due to programming flaws and a lack of required authentication, which have made them easy targets for viral attacks.
As a result of these advanced threats, the investment industry has begun to shift from the use of managed security service providers (MSSPs) to continuous monitoring as a service (CMaaS). In general, CMaaS provides more comprehensive intrusion protection via a multi-faceted approach. The primary components of CMaaS are:
- A sensor on the network which constantly gathers data
- Risk-status displays depicting the data that is gathered from the sensors and used to develop actionable reports
- Human security monitoring by experts who analyze the system reports in order to develop and implement appropriate security measures
- Real-time threat detection and mitigation from security monitoring providers, who have added this step due to the belief that red-flag security events need to be resolved immediately rather than after damage is done
Strategies for ensuring your firm is protected
Our partners at eSentire, an MSSP, have developed a list of steps funds should adhere to in order to keep security threats at bay. These steps are founded on the principles of the Cyber Kill Chain – a concept developed by global security firm Lockheed Martin. This framework emphasizes identifying threats early in order to prevent damage.
- Conduct a vulnerability assessment. Before implementing additional security procedures, companies must authenticate firewall configuration, anti-virus patching, network device security and evidence of criminal activity in order to identify their current vulnerabilities.
- Establish privileged access to critical systems and data. Only necessary employees should be granted access to core data, which should also be stored on password-protected servers.
- Develop and implement an Acceptable Usage Policy. An Acceptable Usage Policy outlines policies regarding software downloads, personal mobile devices, cloud-based email and storage services as well as the access and distribution of sensitive data.
- Employ real-time intrusion detection and mitigation solutions. Firms should monitor all network actions to be aware of breaches, attacks or the unwelcome access of sensitive information.
- Establish legal safeguards. Intellectual property should be protected by confidentiality, non-disclosure, non-competition and non-solicitation agreements.
- Bring only the best employees on board. Employees should be screened pre-hire. Organizations should also conduct regular trainings to ensure all employees are aware of appropriate and inappropriate conduct, contractual arrangements and firm policies.
- Monitor and retain logs of network activity. Firms should restrict electronic transfers, enforce strong password policies, encrypt computer systems, limit accessibility to critical assets and monitor all network activity.
Security policies and procedures
In order to keep sensitive data and systems protected, we recommend that investment firms establish stringent policies and procedures. Following are some effective policies that we’re seeing in use at financial organizations.
- Principle of Defense in Depth: Instead of relying on a single tool, employ several security layers simultaneously. This will reduce the amount of undesired traffic entering the network, which in turn reduces the opportunities for a security breach.
- Principle of Least Privilege: Access to systems and applications should be reserved for only necessary employees. Additionally, all network activities should be monitored and logged.
- Secure User Authentication Protocols: Employ secure user authentication protocols such as providing employees with unique user IDs, using strong password policies, tracking and securing data security passwords and limiting access to only users with active user accounts.
- Information Management Security Policy: Outline all necessary procedures for managing a security violation, including who is in charge of managing a breach, required reporting procedures and communication policies.
- Premise Access Policy: Utilizing surveillance technology and physical security checkpoints, log all on-site activity, including visitors to the building or office.
- Mobile Device Management Policy: Implement strict guidelines for mobile device security. Policies should include the use of passwords on all devices, the ability to remotely wipe devices if necessary and the use of robust encryption tools.
By following industry security best practices and implementing the necessary policies, investment firms can demonstrate an emphasis on data protection and restore faith in investors. Planning in advance also helps prevent potentially costly disasters and ensures that normal business operations can be quickly restored in the case of a breach or other security incident.
About the author
Mary Beth Hamilton is vice president of marketing for Eze Castle Integration, a leading provider of IT and cloud computing services, technology and consulting to hedge funds and alternative investment firms. She has 14 years of technology and marketing experience and holds an MBA from Boston College.
To learn more about Eze Castle Integration, please visit www.eci.com.