Addressing Common IT Gaps For Investment Management Firms
Global IT provider, Eze Castle Integration, has been running an educational program for October’s ‘Cyber Security month’ and on Thursday, October 11th, hosted a webinar entitled ‘Addressing Common IT Gaps for Investment Management Firms’. AlphaWeek is publishing edited transcripts of these webinars. The speakers are Alex Beher, Director, NY Service, Eze Castle Integration, and Mike Pappacena, Partner, ACA Aponix, moderated by Mary Beth Hamilton, Vice President, Marketing at Eze Castle Integration.
The risk assessment process and how that works for financial firms
Mike Pappacena: One thing that's been really a key focus of regulators, specifically the SEC and for those firms that are NFA registered is to have a rigorous cyber security program in place with advisors. And part of that is conducting periodic risk assessments. That can be conducted either internally by qualified folks or through a third party where a team would come in.
Based on common frameworks, such as NIST, they would perform a review on cyber security and technology risk controls, for example, access controls, data governance, data loss, physical security and resiliency, and look to paint a wholistic risk profile of a firm. One key thing that's important in a risk assessment is to really dig deep and understand nuances about the firm and the type of business that they're in. For example, when you're looking at registered investor advisors, whether it's across a hedge fund, private equity fund, etc., focusing on how investor data is protected and how that information flows through a firm's ecosystem is important.
When we look at firms in terms of governance, we do see obviously a focus on regulatory compliance. In some cases we see firms addressing operational risk but not necessarily looking at their cyber security and technology risks. The first step as part of that governance is including cyber security and technology risk with respect to the other risks that you look at as a firm. In many cases, that responsibility falls largely on compliance officer. In some cases, there's a chief technology officer that works alongside the COO. If the firm is large enough, they may elect to dedicate someone from a cyber security standpoint and have a chief information security officer. Smaller firms may not necessarily have those resources.
How are smaller firms that may not have dedicated internal resources are handling this?
Alex Beher: Today, even the smaller firms think about cyber security seriously and not looking at it as an IT department function. More than ever, it takes a mix of internal people taking responsibility for regulation policy. But it also requires help from outside, like third party consultants, third party vendors. And whilst larger firms tend to focus on employing their own IT and internal security teams, the smaller firms tend to rely more on third party consultants and vendors to fill in this gap. These days, it’s a full-time job to stay on top of all the information and policies and new regulations that are coming from various governing bodies, whether it's the European Union, United States, or a specific state where the company may have an office. And that's why those smaller firms need to rely on a third-party consultant because it's very easy to get lost with the huge, unending amounts of data. Firms trying to stay ahead of the curve want to make sure they meet the regulations that they're subject to and stay up to date. It's often very difficult to know what information is applicable to them and what isn’t. That's when the turn to the third parties to consult them on this and to fill in the gap that they can't do internally.
Mike Pappacena: I think that what firms are starting to realize is that cyber security is not just about technology, it's also about the operation and the risk management piece. And that's crucial for firms to think about when they put their governance program in place.
IT asset management: holes to plug
Mike Pappacena: It’s key to understand what assets a firm has. An asset can mean many different things. It's important for firms to really understand what their inventory is from a hardware standpoint, like servers that they're using, work stations, laptops, mobile devices. All these different devices are an access point to a firm's information, and it's important that firms have an inventory of that.
On the software side, what are the systems and applications that firms are using? You have trading systems, which could be deployed either on-premises or externally. You have customer client relationship management software and accounting software, and you have other third parties that provide information and exchange information through portals, like a fund administrator. When you start thinking about where those assets are, you could very easily see that it's not just about what a firm has or "owns"; but also software as a service and third-party services. What you're using that's externally hosted is something that you should inventory. As you start thinking about where data is and who has access to what resources, understanding your software as a service is extremely important. As more firms move more and more of their services off-prem and into the cloud, the importance becomes higher.
Best practices in classifying data and permissioning access
Alex Beher: There are tools available that can scan your data and help classify it; they usually have a database of pre-defined sets of rules that can be checked against your data and then put the different sets of data in the data packets to help you understand really what data that you have. These tools allow you to customize those rules as well to help you specifically build them around the needs of the firm.
We recommend conducting an annual review cycle of all IT assets to fully understand if there have been addition or deletion changes, and how the technology is managing that data and what controls are in place to protect it. We see a lot of firms leverage user provision and identity management software to facilitate the process of provisioning and managing new user access, but we also see firms still doing things the old fashion way. This can be effective for a lot of firms if they and their IT administrator understand and employ the ‘principle of least privilege’.
The principle of least privilege states that the access for the user should be limited and based strictly on whether they need it. Employees who are staff need only have access to the system and data that allow them to do their job. Any additional level of access or additional exposure to data that they don't need for their job should be removed.
Alex Beher: A vulnerability assessment scans the environment and network to determine areas of vulnerability and create a database of known risks. Vulnerabilities are often classified based on severity and you get a report that lists all of the found vulnerabilities, the severity of their risks, and difficulty to remedy. With the penetration test on the other hand, it's vulnerability assessment with tools and people behind it. Using a testing tool, it simulates real world attack scenarios and determines if the hacker would be able to gain entrance into the firm's network using those vulnerabilities. When we talk about vulnerability assessments with our clients, given all the off the shelf products and solutions that they have, we recommend having the vulnerability assessment running regularly as a healthy way to protect them from new vulnerabilities. When the VA runs, and you find new vulnerabilities you then raise this with software vendor.
A penetration test is usually more applicable when you have custom developed software that you need to ensure is properly secure, whether that’s your external patient website, your externally accessed portal or remote access to your environment; systems where you need to ensure that your system is securely protected and can't be penetrated.
It's specifically very relevant with your internet patient site. Here at EzeCastle we have our customer portal that has been custom developed for us, so we've delivered several projects to the penetration test to make sure that it's secure and hardened to protect our customer's data.
It's a good a practice to have vulnerability assessment done regularly to keep on top of recently identified vulnerabilities. There are several different vendors; ACA being one of the common ones that many of our clients use. I think the key to VAs and pen tests are taking a risk-based approach. Firms need to identify the key risk during the risk assessment process and then use those identified risks to tailor their approach to a vulnerability assessment.
Frequency of vulnerability assessments and common gaps
Mike Pappacena: Often, when we visit a new client, we're doing the first vulnerability assessment that they have gone through. At a minimum we would want to see vulnerability scans being conducted on an annual basis. The vulnerability assessments provide a good view of everything that's on your network and can highlight where there are potential gaps, breaks and items that need to be addressed.
Something that you might find is devices that are unpatched. If you see that on a vulnerability assessment, it's not just about patching the device; it's more about figuring out why these devices aren't patched to begin with and reviewing your patch management process, so the next vulnerability scan won’t reveal so many concerns.
It's important to really understand the difference between vulnerability assessments and penetration testing. The vulnerability scans will just tell you where you have potential exposure; where a pen test will look to see what's open and try to access. A pen test is something that firms should consider doing annually every-other year.
What risk elements should be incorporated into a vulnerability assessment?
Mike Pappacena: Taking risk-based approach means looking at what assets I have and where I want to look for vulnerabilities. When we talk about a risk-based approach to pen testing, there are different ways to pen test and different things that can be pen tested. This has to do with thinking about your biggest risks. Someone forcing their way in externally through a firewall is far more unlikely than a bad actor getting access to the premises and being able to plug a device into your network. You need to look at the most likely scenarios for something to happen, and then targeting your testing around that. It’s different for each firm.
Patch management process and strategies
Alex Beher: Patch management is one of the important defence mechanisms that can protect your organization from cyber-attacks and hacking. It's also becoming a top tier question on investor due diligence that we see with our clients; the investor looks for insurance that comes with firms staying current with software system upgrades. It's imperative that the firm has a solid and robust patch management program.
Patching is like a vaccination; you use a vaccination to prevent yourself from getting a virus. Patching prevents computers from being vulnerable to viruses. So when a virus emerges, or somebody develops a specific virus to hack the computer's operating system or applications, the operating application will need to develop a new patch.
With that in mind, patching will only be effective when it's done on a regular basis. It also needs to be properly managed to ensure those patches are properly tested and verified. People often forget about testing patches, but it's an important part of any patch management program; with every new patch there is the likelihood of compatibility issues with the application. Often, when the vendor develops a patch, they don't have capacity to test it with every single application out there, so if the firm has a lot of different applications, it's important that that patch is tested in their UET or development environment before it is rolled out in production, as this helps minimise the necessary down time.
Given the huge number of patches and different software solutions that need to have patches developed for them, it's important that there is a process to track all those patches. Usually, it needs to be as automated because it's incredibly difficult to do it manually. At EzeCastle, we have a patch program called EzePatch Management, which includes all of these points and automation to identify the approval process for patches that need to be deployed, as well as the testing program for those patches to be rolled out to production.
Frequent gaps identified in patch management
Mike Pappacena: Often what we see of out in the field with clients is no formal cadence to patching; no real vetting of patches before they’re deployed. A lot of times we see patching not automated, done manually, with a lack of validation that the patches have worked.
One of the key things that we see are devices where patches fail. Perhaps you have a mobile device like a laptop that's not connected to the network; outside of the auto update you wind up with machines that are lagging behind so it’s crucial to put in place monitoring of all devices, and put some sort of preventative controls in place, like enforcing that patches are updated if a laptop is off the network for a period of time before it can connect back in.
If critical patches fail on a deployment, you need a process to say within 24 to 48 hours you address the critical patches. If patches are less critical you can wait until the next patching cycle, but putting in place a process for critical patches is key. When you talk about evidencing this to a regulator or ODD team the reports are good but you need to show that you have a program.
The other thing we see as a frequent gap is that most of the time folks are just talking about Windows and/or operating system patches. Third party patches are also really important. You have to make sure that you are patching your third-party programs. A lot of time, patching programs don't necessarily address non-operating system or non-Windows, and firms need to really understand that if they have important software that's used by everyone, whether it's a Java plug-in or a third-party pdf reader, that you are updating those as well.
You also need to ensure that your infrastructure provider or your internal technology team are patching non-Windows machines. If you've got other operating systems, appliances, voice systems, have a process in place to make sure that they're kept up to date and patched as well. You don't want to forget about all the other devices that are connected to your network. Whoever's responsible for managing those devices should be patching those as required by the vendor, with at least an annual review to make sure that there's nothing out there that needs to be addressed.
Phishing scams and other types of targeted emails, schemes, or attacks
Alex Beher: The ultimate goal of social engineering is to trick the end user to divulge information, whether it's credentials or personal financial information or company financial information. These attacks are getting more and more sophisticated every year. There is a lot of information out there about the company or person that is easily available over the internet to anyone, which makes it easier for any attacker to target a specific individual because they know enough about the person and their role in the company to easily craft an email that would appear to be coming from somebody that the person knows or somebody who is knowledgeable about the organization or the structure.
The key to thwart social engineering is not an expensive piece of technology but rather a commitment to user education and user training. Firms should have mandatory and frequent training to remind them of cyber security risk and the consequences of our latent security policies. Employees should understand the risk of taking devices that contain confidential data out of the secure work spaces and they should understand what happens when the device gets stolen from their cars or homes. How do they dispose of those devices and remove the data from them properly? All this needs to be part of the education and training program and the culture in the company needs to be built with cyber security in mind. We always recommend to our clients that they have an effective training program and the most effective way we see to prevent phishing attacks is to train employees.
On top of user training, there are also tools that help you to protect your firm from phishing attacks. Some of the next generation consoles that we see these days have an AI component built in that helps identify certain patterns in the language within the e-mail body and the style of e-mails and flags them as phishing attacks. It also has the ability to create certain rules that will block any external e-mails that try and spoof the display names of your executive, which is an effective way to prevent those e-mails getting through to your organization.
The other tool out there that I've seen is monitoring of domain names. Your organization has a domain name; some have multiple domain names. It costs little to register the domain names these days, so monitor names that are close to your company name(s) for any newly registered domain names that could be used to spoof your employees' e-mail addresses.
Recommendations for mitigating risk around social engineering
Mike Pappacena: Something that's crucial is the multifactor authentication on any kind of email or perimeter access; when accessing systems remotely, instead of just putting in a username and password, you're also putting in a code that you'd get most typically as a soft token that's sent to your phone. If you get compromised with a password and someone gives up a password, if you have that second level of authentication in place, that's a mitigant.
Most phishing e-mails are there to try to put in place some sort of business e-mail compromise, or BEC, to lead to an FTF, or funds transfer fraud. The goal is from a lot of these attackers, is to get someone to send out a wire. By putting in effective cash controls like calling back on wires and changes of contact information and having multiple approvals (so an individual can't set up a wire and do his or her own approval of a wire) all could also mitigate the risk of a loss. I've seen plenty of times where clients' environments have been compromised but because the schemers did not know the internal process around management and because of the cash controls that were in place, the firm was able to prevent something from happening.
One more key take away around social engineering is to really understand the tone of the individuals that send something to you. As an example, if someone got an e-mail from Michael Pappacena, that would be a red flag because I go by Mike. You know in your organizations whether the partners go by nicknames, how they sign off an e-mail and how they address you with a salutation. The tone of an e-mail goes a long way to determine if the e-mail was legitimate, and if something doesn't sound right, chances are it isn't right, and you should always question the source.
Third party risk management
Mike Pappacena: All of your service providers have access to very sensitive information, whether it's investor information, employee information, deal information or research information. You want to make sure that you vet these firms with some rigor.
The first thing that firms need to do is to understand which of their third parties and vendors are riskiest. What data do these service providers have access to or custody of? All of that should be put into a bucket and categorized as a vendor that needs to be diligenced. In addition to that, look at the operational risk of the vendor. You may have a vendor that may not have access to very sensitive data, but operationally, if they struggle to provide the service you should also put them on that list and make those the critical vendors that you do a review of. Our recommendation is to do those reviews once a year or so, because environments change, and controls change, and you want to ensure that you understand that.
One of the biggest gaps that we do see is folks going out and doing some level of diligence, and they don't necessarily follow through with the vendor or third party on remediation. With bigger vendors there may not be leverage for a firm to institute change, but what we do see across the landscape is that more and more of the large firms are hearing from more and more of the small and medium-sized firms that they do perform diligence and addressing cybersecurity risks are important to them. There's strength in numbers.
Where can firms make improvements to their cybersecurity testing and training program?
Alex Beher: What is important is that there is a top down approach to testing and training within the organization, whether it's a password complexity policy, multifactor authentication, mobile device management, IT security policy or asset management. All of these policies should apply to every employee, regardless of their title and position in the company, and what we often see with some firms is that their leadership are being excluded from some of this.
This presents a huge risk to the organization, as most of these people are high level and very high wealth individuals, and they're critical employees to the companies, and they should be protected the most. That's where the focus should be. If you do create those policies and employ those controls, you have to roll them out everywhere and to everyone.
Mike Pappacena: Some of the most effective training comes when you get someone who's an executive of the firm intro the training and let everyone know in the room that it's important. That tone from the top is hugely important.
Specialized training is also important. Firms should have some additional conversations around the cash controls for those employees to make sure that those processes are followed. The executive administration staff has a lot of access to systems and processes that the executives themselves have, for example keeping custody of certain types of credentials and passwords. Performing some additional training with that staff would be beneficial because they have to worry about their own information and a senior executive’s. They're also a target to get to the senior executives.
Lastly, when it comes to policy and policy enforcement, think about the consequences for not doing well on phishing tests. A lot of compromise and most of the breaches come through due to a phishing attempt or a successful phishing attempt. Really laying down the law with staff and saying that if you're failing phishing attempts and phishing tests, maybe there's some consequence. Weaving that in gets it out of the realm of cyber policy and into HR policy.
Alex Beher: When I think about cybersecurity and information security, to me it's a combination of technology, people and, processes. Firms need to take that approach to ensure they're properly protected. In this day and age, when we see technology advances happening so fast, it's just so easy to get stale and complacent. If you're not going to advance, you're going to be left behind and vulnerable.
Mike Pappacena: Make cybersecurity a program, not just a point in time exercise. The landscape changes, threats change. Stay on top of it and make sure that you evolve your program to address current threats and current thinking in this space. It's important that individuals take it to heart and almost take it home with them. What I mean by that is thinking about a lot of the best practices and things that your firm is doing and trying to take that home and being vigilant. What we often find is that folks that are more cybersecurity aware and savvy and practiced in their personal computing and personal use of information will carry this over to work, and vice versa. Making it a part of your culture and how you interact will help protect yourself and protect your organization.
Alex Beher and Mike Pappacena were talking to Mary Beth Hamilton, Vice President, Marketing, Eze Castle Integration. Replay the webinar here.
© The Sortino Group Ltd
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher. For more information about reprints from AlphaWeek, click here.