[BreachExchange] Disco, Sex And The Cybersecurity Nightmare

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 1 15:23:40 EDT 2017


http://www.fa-mag.com/news/disco--sex-and-the-cybersecurity-nightmare-34320.
html

Remember “Disco Inferno” and “The Hustle” and the “anything goes”
promiscuous lifestyle of the late ’70s? All of that did not end very well,
as the world learned that all behaviors are accompanied by their own set
of—potentially very bad—consequences.

This good general rule of life somehow was forgotten in the Internet Age.
Suddenly, we were in a “New Economy.” Everyone was going to be connected
and share information—an electronic “anything goes” era in which
convenience and access were far more important than safety. If you think
about it, there are probably more than a few eerie parallels between the
way people have approached using the internet over the last 25 years and
how they thought about sex in the late ’70s.

But the recent WannaCry ransomware attack (which briefly shut down millions
of computers around the world), along with the hacking of political
campaigns, government agencies and Fortune 500 companies, is probably only
a sniffle compared with what is to come. Someday, hackers will release an
unstoppable computer virus or malware. And the only real protection will be
responsible behavior.

Internet theft is now a very big business—in many cases, it’s done by
government-funded and operated businesses. The stereotypical hacker is no
longer an overweight, personality-challenged geek living in his mother’s
basement. In fact, hackers, virus makers and other cyberterrorists in
countries such as China and Russia openly work in large office buildings as
part of organizations designed to steal money or spread mayhem.

Unfortunately—and this is particularly surprising to anyone who follows
this industry—very few wealth managers seem to recognize the magnitude of
this threat to their livelihoods. Their firms are particularly attractive
targets for bad guys because their clients’ non-public personal information
(Social Security numbers, account info, etc.) is regularly sold in
aftermarkets (known as “darknets”) to organizations that use it to loot
bank and brokerage accounts, steal credit cards and tax refunds.

Typical wealth management firm clients have substantial amounts of liquid
assets and robust credit, so their data can be sold for a high price—in
fact, on the dark web they are referred to as “whales.”

The wealth management landscape is littered with firms—including some of
its largest and most sophisticated—that have already been hit. The CEO of
one multibillion-dollar firm recently clicked on a link in an e-mail and
all of his clients’
e-mail addresses were exported. Another big firm discovered that hackers
seeking client information were sending e-mails appearing to be from people
inside the firm.

Even worse, the bad guys are so sophisticated that not long ago they
managed to get a client’s custodial account information.
They then called the client’s house, pretending it was a routine
telemarketing call; the client picked up the phone and answered “yes” to
several innocuous-sounding questions. What’s the harm, right? Well, the
hackers tape-recorded the answers, then directed the custodian to wire
$500,000 to a bank in Hong Kong. When the custodian called the client to
confirm the wire transfer, the call was intercepted by the crooks, who
responded to questions with the tape recordings of the client saying, “Yes.
... Yes.” It worked and ultimately cost the client $5,000 to get the money
back.

But this cyber threat is not just limited to client assets. As wealth
managers become bigger businesses, they too will become targets. Imagine if
you came into your office one morning and you couldn’t access any client
data, e-mails, phone numbers, financial plans or portfolios, nor your
billing, compliance and personnel information. How could you function? And
how long would it take to replace this information and what would you pay
to get it back?

To prevent this from happening, wealth managers are going to have to change
how they operate. First and foremost, they need to hire a sophisticated
chief information security officer. But given that today there is a
nationwide shortage of about 300,000 people with this expertise, filling
this position is going to be expensive.

And if you thought dealing with a compliance officer was annoying, wait
until you see the policies that a competent CISO (Compliance Internet
Security Officer) is going to put in place. All client and company NPPI is
going to be maintained on a separate set of computers that are disconnected
from the internet, and access to them is going to be tightly controlled.

Employees are going to have one phone for work and another for personal
use. Access to the firm’s information systems from home computers is going
to be much more limited.

Likewise, expect to spend a lot of money on specialized legal advice
because insufficient information security is a quick way to wind up getting
a regulatory enforcement action. Firms are going to have detailed, written
protocols and everyone in the organization is going to have to follow them
to the letter.

Remember the big hack at Target that affected 40 million customers? The
virus was accidentally let loose by a vendor installing a digital
thermostat in the company’s computer system. Guess who is responsible if
something like that happens to your firm?

To protect yourself, your CISO is going to have to audit your vendors’
information security policies and procedures—even those of small vendors
such as the local tech guy who fixes your server. At some point, you may
even have to ban vendors from bringing their cell phones into your offices
(many military headquarters require something similar).

But information security goes beyond just outside threats. You are equally
liable if some junior analyst downloads client information and sells or
distributes it. To protect yourself, you are going to have to do what the
intelligence agencies do—compartmentalize. Only those people with a need to
access information will be able to do so, and any downloads will be closely
monitored.

The “we are one big happy family that shares everything” approach to
running your business is over. Is it just me, or when you hear the term
“WannaCry,” are the Bee Gees in the background singing “Stayin’ Alive”?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170901/84e92f2d/attachment.html>


More information about the BreachExchange mailing list