03:25 PM
Under Attack
The case of a Pennsylvania man who allegedly used a Trojan horse to capture the password of an investor's online account is a stark example of the security scams investments firms face in the cyber age.
Nineteen-year-old Van Dinh faces criminal and civil securities-fraud charges after he was accused of tapping into a TD Waterhouse account held by a 34-year-old Boston man.
Authorities allege Dinh used the account to buy put options on Cisco that effectively cut his losses on a losing position he had in his own online account at Cybertrader.com.
Securities and Exchange Commission officials allege the accused used an online stock-discussion forum and encouraged people to download software, which included a Trojan horse. Trojan horses allow hackers to take over a computer without the users' knowledge.
John Reed Stark, chief of the office on Internet enforcement at the SEC, says the accused "appeared to be a friendly source that wasn't." The SEC argues Dinh tricked victims into downloading the program, which monitored keystrokes and allowed him to learn passwords and codes.
It's the first case in 424 Internet actions where a hacker has been accused by the SEC of using another person's account to place trades. The case heightens the growing concern about online commerce.
The SEC is so concerned about security and identity theft that it is undertaking a review of procedures and policies firms have in place, says John Walsh, associate director and chief counsel at the SEC.
The SEC has safeguard rules that require firms to have reasonable policies and procedures in place to protect customer records and information, including electronic protections.
Walsh says in the fall, the SEC conducted a number of safeguard reviews, where officials went into broker/dealers and fund companies and "looked at overall electronic security." Those reviews included an examination of policies and procedures, management systems, firewalls, patch management and the physical security.
The SEC is also working closely with the NYSE and other self-regulatory organizations to ensure people are putting the necessary security precautions in place.
Walsh says the SEC is looking to identify best practices and find out who is leading and who is lagging. It is also looking to see if an industry standard can provide a benchmark that can be used to measure firms against. As well, officials are keeping an eye out for unreasonable approaches to security and those firms whose systems fail to make the grade.
The information will be compiled into a report, but it's not clear whether it will be made public.
It's not just the SEC that has its eyes on security. The Federal Trade Commission, which oversees advertising, has stepped into the fray, examining different businesses over their representations about how they keep information secure, says Michael Overly, a lawyer at Foley & Lardner in Los Angeles, who specializes in financial-services technology and the law.
The FTC issued a $12,000-a-day sanction against a retailer, even though there was no breach of information. Instead, the FTC found the retailer's security system didn't live up to its billing and the representations made to customers about protections. That, he says, should concern financial institutions, which often tout how secure their systems are.
The regulators' interest in security is just more pressure on IT managers to get it right.
In the past year, there's been a heavier focus on identity theft, Trojan horses, Web spoofing and worms. They're terms that a few short years ago were difficult to find in the lexicon of security experts.
A recent survey of 7,500 CIOs by PricewaterhouseCoopers and CIO Magazine found 64 percent say their organization has experienced security incidents in the past 12 months. Two-thirds say external forces are most likely the source of hacks, attacks or breaches.
Those who experienced attacks say the most common were malicious code viruses, unauthorized entry and denial of service threats.
The main change in security is the frequency of attacks, says Robert Garigue, chief information security officer at Bank of Montreal, whose responsibilities include its full-service brokerage, BMO Nesbitt Burns, and its online-discount broker Harris Direct. In the past, he says, there would be one or two security events a year. "You used to fight one battle at a time. Now I think the tempo has increased."
When it comes to detecting Web spoofers, Garigue says firms need to watch for the indicators. He says there's usually a sequence of events that precedes an incident - A number of spam e-mails go out in advance to draw people to the site. Such sites will usually be hosted in odd places, like China or Russia. "Strangely enough, a lot of indicators come from our own clients and help desk," he says. Clients will often contact BMO if an e-mail they receive seems odd.
When it comes to fending off viruses, patch management continues to be the rule of the day. "Vulnerability management is a very large challenge for us," says Lee Ann Summers, head of risk management at ABN AMRO. "The problem with the current state of patch management is that it is reactive. When you react all the time, it is hard to maintain a strategic focus," she says.
The sophistication of viruses is making it more challenging to fend off attacks, adds Summers. "Some of this stuff we're seeing underground is really disturbing, They're dumbing down the skills you need for hacking."
Summers says, "Enterprises must protect themselves from outside risk by protecting the perimeter of their enterprise and ensuring basic levels of updates are maintained on the internal network. It's easier to catch a problem before it happens rather than fix it afterwards."
One thing viruses are doing, she says, is "forcing everyone to change the way they look at computing" to better understand "the way that people connect into the enterprise." For example, mobile workers and customers are weak links. "All these connections potentially can be exploited. You need different measures in place to recognize you have these issues."
Matt Beinfang, a senior analyst in the retail-brokerage practice at Needham, Mass.-based TowerGroup, says there's "no perfect solution out there" to battle viruses and keep out hackers. IT administrators know they "can't be expected to block 100 percent of this stuff. If someone wants to get around it, they will figure a way around it."
Technology should not be the only focus when it comes to security. Overly says investment firms are woefully inadequate in ensuring their contracts with vendors and suppliers properly protect information.
He says there's one well-known vendor in the financial-services industry whose contract contains almost no confidentiality protections or guarantees. Overly refuses to name the vendor, but says it's used by a number of broker/dealers.
The problem can be exasperated if a tech vendor also relies on a third party for delivering its services or offering, he adds.
Investment firms, says Overly, "aren't asking for (protection). That's the problem." One of the easiest concessions to get is an agreement by the vendor on how they will handle information, he says.
If a firm is engaged in an RFP, he says, the tech vendor should be given a questionnaire about security policies and procedures. That should then be attached as a schedule to any contract the investment firm enters into with the vendor.
As well, Overly says, firms need to include an indemnity clause that will make the vendor pay if there's a security breach at its end that results in damages to the firm.
The problem, says BMO's Garigue, is it's early in the Internet game and firms are still learning about security and good practices. He says it's improving. Security is getting more attention and many organizations now have people dispersed throughout it that are responsible for paying attention to potential gaps. "We're creating a cadre of specialists called security officers," says Garigue. They can be found in every department from legal to IT to compliance.
ABN's Summer says, "The way things are changing, you have got to react faster and be smarter. You have to tackle security from a bunch of different fronts and get management support. You need to be creative and use the tools to figure out how to get the best bang for your dollar."