Mark Clancy is intimately familiar with the ins and outs of cyber hacking. As managing director and corporate information security officer at the Depository Trust and Clearing Corp. (DTCC), Clancy's job is to pay attention to how crooks use virtual highways to steal data and assets, and to stay a step ahead. Today that means much more than loading up some antivirus software and patching an operating system.
“Mass attacks still continue, but the more sophisticated ones are targeted attacks,” says Clancy. “This style uses social engineering where they collect information they can find on the Internet about a broker or a client, and then send an email so the conversation seems more plausible. And in the broker/dealer world, bad guys are going after more high-net-worth clients. You go where the money is.”
Cyber attacks are not just a threat to large Wall Street firms — independents, too, have chinks in their armor. And while an eight-man advisory may not have seemed like the prime target for a hack a few years ago, that's no longer true as criminals have gotten more specific about whom they target, in an effort to maximize their return on investment.
Most people are fairly familiar with standard phishing attacks — emails that may offer cheap pharmaceuticals in Canada, or a note sent from Africa offering a cut on a bank balance — all available if a user just sends an account number to the hacker. Most people know to delete these spams.
But social networking has made it easier to make phishing personalized. Maybe the email now targets an investor and mentions his financial advisor's name, captured after hacking an email account. The email might mention the recent Yankees game a client attended, details found on an unsecured Facebook page. Did the investor brag about season tickets on first base? That data just got a lot more interesting to a hacker.
After all, hacker criminals are essentially running businesses too. They have expenses, host software on servers and have to pay those monthly bills. Mass attacks may bring in a return. But a well-targeted hack on a high-net worth client? That's a big win.
“A small financial firm, simply from the type of their business and the places where their employees and customers may have gone online because of the wealth, will get targeted,” says Jennifer Bayuk, a security consultant and industry professor at Stevens Institute of Technology, and former chief information security officer at Bear Stearns until its collapse in June 2008. “Crimeware operators will harvest that information and then decide where to sell it. Or they may look at the data later, decide the value, exploit it, and you become the target.”
The financial services industry remains a popular target for hackers, with 22 percent of all successful attacks aimed at this business, just behind retail (25 percent) and hospitality (40 percent), according to Verizon's 2011 Data Breach Investigations Report, which the tech firm compiled with help from the U.S. Secret Service and the Dutch High Tech Crime Team, looking at breaches throughout 2010.
Yet before tossing out antivirus software as insufficient, reps should note that malware — mass software programs designed to hit operating systems without any target in mind — were still behind 49 percent of breaches in 2010, according to Verizon. In other words? An attack can come from anywhere.
“I actually heard a conference speaker say there's no shame in being attacked,” says Bayuk. “And very good companies have been attacked. However, from a security professional's standpoint, there is shame if the attack is from something that has been known for 10 years, such as malware.”
Dan Guido couldn't agree more. As a security consultant based in New York with iSEC Partners and a teacher at the Polytechnic Institute of New York University, where he teaches information security students how to break into computers, Guido believes that targeted or advanced persistent threats (APT) are growing — but that malware still affects the largest number of people.
“It's a huge unsolved problem,” he says. “More people are getting compromised, there are more advanced back doors, more stolen banking information and credentials, and it comes with higher consequences than in the past. How do you expect to protect yourself against APT if you can't even stop getting hacked by accident, which is what malware is? It's an opportunistic attack.”
Guido believes that the basic premise of creating invulnerable software is itself faulty. The number of routine fixes software companies release should be proof enough that programs are not impenetrable — and that as soon as one patch is released, hackers swarm to find the next chink. And often holes are exploited before a software company can even release its fix.
To Guido, patches are like washing your hands — good personal hygiene, but certainly not the only defense you'd want to employ, for example, if you were in the rainforests of Mexico and wanted to protect yourself against malaria.
Instead, Guido says reps should start thinking about how attackers consider them targets — and then think of the processes they use to perform successful attacks. Like Bayuk, Guido agrees that hackers will use the path of least resistance — and in cases of malware, will create software that will attack the programs people use most.
From his own studies, Guido pings these popular entry ways as Oracle's Java, Adobe's Flash, Apple's QuickTime and, as many already know, Microsoft's Internet Explorer. Within these programs, hackers can write a simple exploit that can load through a website visit, download from a movie, or even be installed from an advertisement. Take the London Stock Exchange, for example, where third-party malware was embedded in hundreds of ads on the exchange's website earlier this year.
Most users will employ at least one of these programs daily no matter what operating system they use, which browser they launch to surf the Net, or which websites they visit. And to Guido, each use is an open door to a hacker.
In the case of Java, for example, Guido says that with most websites now standardized for HTML, reps have few reasons to use Java on the web. Instead, by removing the plug-in from Internet Explorer, advisors can prevent Java from loading on office computers, closing just one more loophole where a hacker can be invited.
With more financial services programs moving to the clouds, such as customer relationship management software, or delivered as web-based applications rather than installed on a client's hard drive, advisors spend more time on the web than ever before. While Bayuk doesn't believe cloud-based computing itself makes advisors more vulnerable, she adds that if a rep's own computer isn't secure to begin with, then being on the web will make it more easy to be compromised.
Guido believes that web-based application developers actually owe clients a bit more protection on their side. He points to Gmail as a prime example of a more secure environment because of its use of two-factor authentication, allowing users to see where they logged in last, and even sending an authentication number to a mobile device as an extra step if selected. To Guido, every cloud-based firm should be able to offer these kind of options — and reps should ask if stronger authentication is available before signing on.
“Ideally, companies should be presenting the information to you,” he says. “So when I see I logged in last from China, I can know that was me. And if I want to use two-factor authentication, I should have the option, too. Lots of good cloud services do it well like Gmail. Lots don't.”
With mobile devices being adopted at a rapid rate among advisors, experts also believe that's the next terrain hackers will look to exploit, particularly Androids, iPhones and iPads which are growing popular among financial services firms.
“The threats to mobile devices are real, and we fully expect them to increase and diversify along with the use, uses, and users of such devices,” notes the Verizon report. “The convenience and functionality of these and other similar devices will drive widespread corporate adoption, and security will once again find itself rushing to catch up.”
So where does that leave reps? Install antivirus, update patches, remove Java from the browser systems, and never send unsecured data over email? To experts, the answer is yes to all and then to also toss in an increasingly rare tool that cyberspace criminals hardly employ — the telephone.
“The big message for me is you must have a multi-layered approach,” says Clancy. “And then if you get a strange email, call the client and ask them. My broker knows my voice, and can verify it's me. And if the marketing group sends them something strange, tell them to call you. That's okay, too. In the end, that might mean more chances to get in touch with your client, which honestly is a good way to help the overall relationship.”