The topic of network security has recently risen to the forefront of discussions in the alternative investment industry. Firms must be cognizant of potential internal and external security threats and take proactive measures against them. Hackers have used the 2008 financial crisis and the ensuing economic recession as motivators to target funds. Experts believe that hackers are getting more sophisticated and more difficult to detect.
Hackers employ a variety of infiltration tactics to access sensitive data. Email systems can be hacked so that the perpetrator can view confidential internal messages. Hackers may also attempt to interrupt Internet connectivity or tamper with important business applications. Typically, hackers engage in a combination of several strategies simultaneously and are often able to do so while remaining undetected. Experts believe that funds of all sizes are at equal risk of becoming cyber security breach victims, so all firms should conduct internal examinations of their information security policies and systems to assess any existing vulnerabilities.
Why Are Investment Firms at Risk?
Large, well-known investment organizations are vulnerable to intrusion because they present hackers with opportunities to profit from sizeable asset pools. Hackers may also seek the notoriety associated with a successful breach of a large firm’s critical systems – an event that will likely garner media attention. In the case of smaller funds, a hacker’s most likely target is intellectual property, such as business plans, trading programs, market forecasts and investment strategies.
Furthermore, state-sponsored hacking – a recent hot topic in the media – has emerged as another threat of which fund managers should be aware. For example, the New York Times reported last month that the Chinese government has been accused of funding and fostering the efforts of “cyberwarriors,” who regularly target organizations around the world to obtain sensitive information. Large asset pools and valuable intellectual property could cause investment firms to become targets for some state-sponsored hacker groups.
Internal and External Threats
Contrary to popular belief, the most common network security threats are internal in nature and typically occur via three primary methods: malware via email, malware via a website download or malware via USB. Most commonly, an employee unknowingly triggers a malware attack by downloading a virus or opening an unsuspecting email. This breach then opens the door for further intrusion.
External attacks typically follow a similar path from start to finish, regardless of the intrusion method. Lockheed Martin, a global security firm, has outlined a series of seven steps to what it calls the “cyber kill chain.” The primary advantage of understanding the cyber kill chain pattern is that it puts the host in a better position to counteract the intrusion. The sooner into the cyber kill chain a threat is identified, the better chance there is of stopping it. The steps identified by Lockheed Martin include:
• Reconnaissance: Harvesting information to understand the internal structure of the target organization
• Weaponization: Packaging of the threat for delivery
• Delivery: Delivery of the threat (via email, Web, USB, etc.)
• Exploitation: Once a host is compromised, the attacker takes advantage and conducts additional attacks
• Installation: Installation of the malware
• Command and control: The attacker sets up controls in order to maintain future access to the host’s network
• Actions or objections: The attacker achieves his or her goal (e.g., stealing information, gaining access privileges or damaging the host network)
Best practices for managing security risks at investment firms Firms should begin by performing internal vulnerability assessments in order to examine their current ability to thwart attacks. This will help to gauge the organization’s effectiveness in defending against potential intrusions and identify areas for improvement in defense strategies. Then, develop policies governing proper use of company systems and access controls. Be sure to outline the courses of action the firm will take based on various intrusion scenarios.
On a more fundamental level, firms should employ a defense-in-depth strategy, inclusive of antivirus/antimalware software, network firewalls, deep inspection proxy and IDS/IPS to minimize undesirable traffic on the network. However, even a computer that is running the most recent operating system with all applications at the most recent upgrade level, with up-to-date third-party antivirus/anti-malware software can still be subjected to a targeted attack. These attacks are often accomplished by exploiting a software vulnerability that has not yet been acknowledged or corrected by the software vendor and using a deployment package that escapes detection by well-known endpoint protection programs.
To maximize network and data protection, investment firms should abide by these best practices for maintaining a secure environment:
• Maintain a strong password policy. Passwords should contain upper- and lowercase letters, numbers and special characters. They should be changed frequently and never written down or shared. Typically, password changes are recommended every 30 to 90 days.
• Use multi-factor authentication. Firms should employ (at least) two factor authentication procedures, in which employees must provide a separate PIN or undergo biometric screenings in addition to providing a password.
• Develop access control and acceptable use policies. Employ the principle of least privilege, authorizing access only to employees who need it. In the acceptable use policy, be specific about which systems and applications employees are or are not permitted to access. Be aware that investors may also want a voice in this process.
• Consider network and host-based intrusion detection and prevention deployment. Visibility into how frames and packets move on your network will offer insight into normal and abnormal flows of information. IDS/IPS services can alert you to an attack in progress, questionable traffic flows or a compromised host within your network.
• Implement incident response management procedures. Prepare for potential security issues before they occur. Determine who is responsible for incident management and what steps will be involved in the investigative process. As always, maintain a record of what was done and by whom to keep an accurate trail of events for investors and auditors.