we see U
Mark Clancy is intimately familiar with the in’s and out’s of cyber hacking attacks. As managing director and Corporate Information Security Officer at the Depository Trust and Clearing Corporation (DTCC), Clancy’s job is to pay attention to how crooks use virtual highways to steal data and assets — and stay a step ahead. Today that means much more than loading up some anti-virus software and patching an operating system.
“Mass attacks still continue, but the more sophisticated ones are targeted attacks,” says Clancy. “This style uses social engineering where they collect information they can find on the Internet about a broker or a client, and then send an email so the conversation seems more plausible. And in the broker/dealer world, bad guys are going after more high-net-worth clients. You go where the money is.”
Cyber attacks are not just the territory of large Wall Street firms—independents too have chinks in their armor. And while an 8-man advisory may not have seemed like the prime target for a hack a few years ago, that’s no longer true as criminals have gotten more specific about who they target, in an effort to maximize their return on investment.
But social networking has made it easier to make phishing personalized. Maybe the email now targets an investor and mentions their financial advisor’s name, captured after hacking an email account. The email might mention the recent Yankee’s game a client attended, details found on an unsecured Facebook page. Did the investor brag about season tickets on first base? That data just got a lot more interesting to a hacker.
After all, hacker criminals are essentially running businesses too. They have expenses, host software on servers and have to pay those monthly bills. Mass attacks may bring in a return. But a well-targeted hack on a high-net worth client? That’s a big win.
“A small financial firm, simply from the type of their business, and the places where their employees and customers may have gone online, because of the wealth, will get targeted,” says Jennifer Bayuk, a security consultant and industry professor at Stevens Institute of Technology, and former Chief Information Security Officer at Bear Stearns until its collapse in June 2008. “Crime ware operators will harvest that information and then decide where to sell it. Or they may look at the data later, decide the value, exploit it, and you become the target.”
The financial services industry remains a high target for hackers, with 22 percent of all successful attacks aimed at this business, just behind retail (25 percent) and hospitality (40 percent), according to Verizon’s 2011 Data Breach Investigations Report, which the tech firm compiled with help from the U.S. Secret Service and the Dutch High Tech Crime Team, looking at breaches throughout 2010.
Yet before tossing out anti-virus software as insufficient, reps should note that malware—mass software programs designed to hit operating systems without any target in mind—were still behind 49 percent of breaches in 2010, according to Verizon. In other words? An attack can come from anywhere.
“I actually heard a conference speaker say there’s no shame in being attacked,” says Bayuk. “And very good companies have been attacked. However from a security professional’s standpoint, there is shame if the attack is from something that has been known for 10 years, such as malware.”
Dan Guido couldn’t agree more. As a security consultant based in New York with iSEC Partners, and a teacher at the Polytechnic Institute of New York University, where he teaches information security students how to break into computers, Guido believes that targeted or advanced persistent threats, (APT) are growing—but that malware still affects the largest number of people.
“It’s a huge unsolved problem,” he says. “More people are getting compromised, there are more advanced back doors, more stolen banking information and credentials, and it comes with higher consequences than in the past. How do you expect to protect yourself against APT if you can’t even stop getting hacked by accident which is what malware is? It’s an opportunistic attack.”
Guido believes that the basic premise of creating invulnerable software is itself faulty. The number of routine fixes software companies release should be proof enough that programs are not impenetrable—and that as soon as one patch is released, hackers have swarmed to try to find the next chink. And often holes are exploited before a software company can even release its fix.
To Guido, patches are like washing your hands—good personal hygiene, but certainly not the only defense you’d want to employ, for example, if you were in the rainforests of Mexico and wanted to protect yourself against malaria.
Instead, Guido says reps should start thinking about how attackers consider them targets—and then think of the processes they use to perform successful attacks. Like Bayuk, Guido agrees that hackers will use the path of least resistance—and in cases of malware, will create software that will attack the programs people use most.
From his own studies, Guido pings these popular entry ways as Oracle’s Java, Adobe’s Flash, Apple’s QuickTime and, as many already know, Microsoft’s Internet Explorer. Within these programs, hackers can write a simple exploit that can load through a Web site visit, download from a movie, or even be installed from an advertisement. Take the London Stock Exchange, for example, where third-party malware was embedded in hundreds of ads on the exchange’s website earlier this year.
Most users will employ at least one of these programs daily no matter what operating system they use, which browser they launch to surf the Net, or which Web sites they visit. And to Guido, each use is an open door to a hacker.
In the case of Java, for example, Guido says that with most web sites now standardized for HTML, reps have few reasons to use Java on the web. Instead, by removing the plug-in from Internet Explorer, advisors can prevent Java from loading on office computers, closing just one more loophole where a hacker can be, frankly, invited.
With more financial services programs moving to the clouds, such as customer relationship management software, or delivered as web-based applications rather than installed on a client’s hard drive, advisors spend more time on the web than ever before. While Bayuk doesn’t believe cloud-based computing itself makes advisors more vulnerable, she adds that if a rep’s own computer isn’t secure to begin with, then being on the web will make it more easy to be compromised.
Guido believes that web-based application developers actually owe clients a bit more protection on their side. He points to Gmail as a prime example of a more secure environment because of its use of two-factor authentication, allowing users to see where they logged in last, and even sending an authentication number to a mobile device as an extra step if selected. To Guido, every cloud-based firm should be able to offer these kind of options—and reps should ask if stronger authentication is available before signing on.
“Ideally companies should be presenting the information to you,” he says. “So when I see I logged in last from China, I can know that was me. And if I want to use two-factor authentication, I should have the option too. Lots of good cloud services do it well like Gmail. Lots don’t.”
With mobile devices being adopted at a rapid rate among advisors, experts also believe that’s the next terrain hackers will look to exploit, particularly Androids, iPhones and iPads which are growing popular among financial service’s firms.
“The threats to mobile devices are real and we fully expect them to increase and diversify along with the use, uses, and users of such devices,” notes the Verizon report. “The convenience and functionality of these and other similar devices will drive widespread corporate adoption, and security will once again find itself rushing to catch up.”
So where does that leave reps? Install anti-virus, update patches, remove Java from the browser systems, and never send unsecured data over email? To experts, the answer is yes to all and then to also toss in an increasingly rare tool that cyberspace criminals hardly employ—the telephone.
“The big message for me is you must have a multi layered approach,” says Clancy. “And then if you get a strange email, call the client and ask them. My broker knows my voice, and can verify it’s me. And if the marketing group sends them something strange, tell them to call you. That’s okay too. In the end, that might mean more chances to get in touch with your client, which honestly is a good way to help the overall relationship.”
Lay Off the Java
Some tips to keep data safe from cyber hackers and other attacks
While experts believe a holistic approach to cyber security is far more effective than a random series of checklists, there are some points reps can use to at least ensure they’ve strengthened a network to their best advantage.
- DTCC’s Mark Clancy suggests reps who work in small independent offices create two accounts on their PCs—one that controls administrative privileges, and to which they log in only when updating software, and one where all real work is done. He notes that at large firms, most employees don’t have admin rights, and therefore if their computers are compromised, hackers can’t take over the desktop, and potentially the network. For independents, malware infections on computers where admin rights are up and running means a machine—and all its data—is then vulnerable. “You can’t take control of a machine if it’s current and not the administrator,” he says.
- Don’t neglect third-party software. While staying up to date with patches on operating systems is critical, so too is ensuring other programs from client relationship management software to Adobe Reader is secure as well.
- iSEC Partner’s Dan Guido says Windows users have an extra layer of protection most don’t use. Tagged Data Execution Prevention (DEP), the option can be found under advanced systems settings (http://windows.microsoft.com/en-US/windows-vista/Change-Data-Execution-Prevention-settings) and blocks 14 of 19 known exploits, he says. While not a cure-all, it’s an extra roadblock requiring hackers spend more time and take more steps trying to get in, which makes the attack potentially less desirable. “When attacks take more time, it also increases an attacker’s costs which means they get less out of it, and it’s less profitable,” he says.
- While mobile devices aren’t targets, yet, encrypting all data stored on these handhelds is a wise move. Passwords employed to protect iPhones, Androids and iPads should also be changed as frequently as desktops—which ideally should be reconfigured every 90 days, and with codes that use at least one letter, number, and if possible, a symbol.
- Jennifer Bayuk notes that security truly should be the responsibility of all employees—not just the chief technology officer, or the principal of an advisory firm. Making every member accountable for ensuring access to data is safe is the best defense. The key is to have this part of everyone’s job,” she says. “Don’t just manage assets, make sure they’re secure as well.”