[BreachExchange] Cybersecurity: Don’t Become the Hacker’s Next Victim

[Audrey McNeil]

https://blogs.cfainstitute.org/investor/2016/06/22/cybersecurity-dont-become-the-hackers-next-victim/

Investment professionals need to focus on the threat poor cybersecurity
poses to asset managers of all sizes.

Cybercrime and cyberespionage cost the US economy about $100 billion
annually, and the worldwide toll is climbing toward $300 billion. These
numbers are projected to rise even further as the severity and frequency of
attacks increase.

Firms that fall victim to cybercrime potentially face a complete loss of
client confidence. How much damage can result from weak cybersecurity? Just
read the latest headlines about data breaches at large, sophisticated firms
like Home Depot, JP Morgan Chase, and Experian.

Regulators have also taken a hard stance against asset managers with lax
cybersecurity and have issued reprimands and fines to firms that are just
at risk of a data breach.

Despite all the recent publicity about cybersecurity, many still question
whether asset managers need training in it. After all, the thinking goes,
why would hackers target the asset management industry? Why should busy
investment professionals bother to learn about something so technical?

These Were Decent Questions . . . 10 Years Ago

Hackers prey on the mentally unprepared, and the greatest weapon they have
in their arsenals is their targets’ apathy. Nothing sounds sweeter to a
hacker than the words “It won’t happen to me.” Combine a general lack of
interest in cybersecurity with the massive quantities of client wealth and
confidential information stored online, and it is obvious why the asset
management industry is a prime target for hackers.

Still, investment professionals’ apathy about cybersecurity is somewhat
understandable. Much of the training is esoteric, intimidating, and boring.
But it doesn’t have to be. Hacking is actually quite an interesting
process. Consider this hypothetical attack:

Stage 1: Reconnaissance

Everyone leaves a digital trail online: traces of the sites they visited,
the purchases they made, etc. Hackers have ways of tracking this
information through a process known as footprinting, the most important and
overlooked part of any cyberattack. Footprinting is free, legal, difficult
to prevent, and nearly impossible to detect.

Suppose a cybercriminal wants to obtain confidential information about
high-net-worth individuals (HNWIs) at Company X. To begin, the hacker
searches Company X’s LinkedIn page to find members of the portfolio
management team who would have access to the client database. In
particular, the cybercriminal focuses on one individual, “Mr. Doe.” Because
Mr. Doe is an avid social media user, the hacker is able to ascertain his
personal email address, social circles, and internet browsing habits via
his digital footprint.

Next, the attacker uses a port scanner and recent Twitter updates to find
that Mr. Doe often conducts personal business on his company laptop during
lunch breaks.

Stage 2: Infiltration

The hacker scours Mr. Doe’s social media postings and learns that he plans
to attend a fundraiser for a nonprofit, “Volunteer Organization A.” The
attacker discovers that Mr. Doe is a board member and longtime supporter of
the group.

Based on this information, the cybercriminal composes a credible spear
phishing email. To fool Mr. Doe, the hacker purchases a URL very similar to
that of Volunteer Organization A and builds an email template to match its
branding.

The hacker sends Mr. Doe a message from the fake Volunteer Organization A
email address. The attacker knows how to entice Mr. Doe and phrases the
message to sound like a confirmation for his seat at the upcoming
fundraiser. The cybercriminal also times the message so that Mr. Doe will
receive it during his lunch, which is when he tends to use his company
computer for personal business. The unsuspecting Mr. Doe takes the bait and
clicks the “Confirm” button contained in the email.

Stage 3: Escalation

The attacker has embedded a piece of malicious software known as a “remote
access tool” in the fake “Confirm” link. Once Mr. Doe clicks on it, the
hacker has complete access to his work laptop and can now use the computer
to download thousands of confidential client files.

Stage 4: Exploitation

The cybercriminal uses the confidential client files to obtain illicit
lines of credit and to forge identities that can be employed in future
attacks. In addition, the hacker uploads the data to the dark web, where
the information will be sold to other cybercriminals. Word of the
successful attack is anonymously leaked to the media. Details of Company
X’s cyberbreach are widely disseminated, severely damaging the company’s
reputation.

The Post-Mortem

Before writing Mr. Doe off as another hapless victim, consider how common
and simple his mistakes are. Indeed, many well-educated and informed
professionals commit these same errors every day.

But avoiding such mistakes and preventing these attacks is not impossible.
Here are a few tips to remember:

Be careful how much you share on social media. Hackers use public
information to build credibility and perfect their attack methods. Frequent
posts about your location, interests, coworkers, or hobbies generate a
large pool of information for cybercriminals to exploit, allowing them to
find a convincing pretext and identify gaps in your cybersecurity.
Avoid conducting personal business on sensitive machines like work-issued
laptops. Segregating devices prevents hackers from exploiting personal
accounts, which often have fewer security measures.
Be mindful of when you let your guard down. Hackers will take advantage if
you are overly trusting and inclined to believe a good story. Skilled
cybercriminals craft their attacks so that they seem to come from a
credible source, such as a coworker, friend, or loved one. Inspect the
email addresses and embedded URLs before clicking any link in a message.

Hopefully this all instills a healthy dose of what cybersecurity experts
call “professional paranoia.” It is important to develop that voice in the
back of your mind that cautions against oversharing on social media or
using “password123” to lock a work computer.

Knowledge is power in the world of cybersecurity, and just a little insight
into how hackers think and operate can better prepare you for the next
potential attack and help turn the tide against cybercrime.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160622/bf4cdcac/attachment.html>