Financial services firms eyeing the world of cybercrime and hacktivists may think the chances of this happening to them are remote. Most businesses, certainly banks and Wall Street firms, are investing in security through technologies to protect against threats. In fact, according to experts, security is a board-level responsibility. However, some companies are lulled into a false sense of security.
âBy and large, the sad truth is that the biggest obstacle to doing anything is they donât think it can happen to them,â says A.N. Ananth, CEO of EventTracker, a provider of log management solutions focused on the security information and event management space (SIEM). âBut they are also trying from the outside to get through your firewall,â says Ananth. âThey attack the place where you have your weakest defense,â he adds. His firmâs solution is to record audit logs and to send out notifications when there are abnormal patterns.
Businesses need to âgo back to basics and have a full risk management regime,â advises Karl Smith, head of Cyber Security Assurance Services at British Telecom in an interview. As attacks become more sophisticated, itâs important for financial firms patch their systems and install the latest firewall technologies, experts said. Information Assurance, a UK security organization, found that businesses were not patching systems effectively and were not monitoring and were looking at the logs, noted Smith. Also, firms need to install next generation firewalls and proxy servers. âAs threats become more persistent and agile and targeted, they can bypass traditional controls,â added Smith. He cites Fire Eye, a new defensive technology that blocks Internet-born malware. It looks at the threat, unpacks the threat and blocks outbound communications.
âItâs all about layers of security,â comments Steve Schoener, VP of Client Technology at Eze Castle Integration, an IT consulting firm that hosts applications in a private cloud for hedge funds and other investment firms. Intrusion detection and intrusion prevention software can be installed on the network. âThe most dangerous hacker isnât the one that takes down your web site, but implants a virus and very quietly sits there and watches your data,â said Schoener. Todayâs hackers are more sophisticated and more targeted. If they wanted to specifically go after a hedge fund or a specific firm, they would do research to figure out who the people are inside. âThey would seek their email addresses, hunt information ahead of time,â according to Schoener.
ECI partners with a third party to run intrusion detection and intrusion prevention. Schoener contends that hedge funds are better off outsourcing the security to a third party. âWeâre able to provide a higher level of security on our platforms than individual firms are doing themselves,â claimed Schoener.
The two most frequent ways of getting into an organization are by manipulating employees to click on a link or an attachment that infects the employeeâs computer and give the hacktivist access, according to Joram Borenstein, VP of NICE Actimize, the financial crime, risk and compliance solutions provider. The second way is from machines that arenât patched. âVulnerabilities exist such as unpatched desktops and unpatched severs which are the underbellies of the organization,â said Bernstein.
Insider threats such the disgruntled employee also need to be considered, said Ananth. As examples, he cites the cases of Bradley Manning, a U.S. Army soldier who was arrested in May 2010 on suspicion of passing classified information the web site Wikileaks , and more recently that of Edward Snowden, a private contractor for the National Security Agency (NSA) who disclosed the intelligence agencyâs top-secret data mining activities, both of which had privileges. Manning was able to download large amounts of data onto blank CDs and when he walked pasted the security guy he called it âLady Gaga,â said Ananth. Wall Street firms, which have downsized since the crisis of 2008, are not immune from disgruntled network administrators who try devious methods to get revenge, said Ananth.