Post on 04-Dec-2014
description
Network Security Threats Exposed: How to Keep Your Fund’s Data & Infrastructure Safe
Agenda
The Security Landscape
Case Studies
Security: The New World Order
Basic & Enhanced Security Best Practices
Policies & Procedures for Security Management
#ECIsecurity
The Security Landscape
Security is a serious concern for all kinds of businesses.
Firms on Wall Street are particularly vulnerable.
US government taking steps to thwart cyber attacks:
Cybersecurity Act of 2012
SECURE IT Act
#ECIsecurity
A Few Statistics…
46% of SMBs have been victims of cybercrime.
31% are operating without anti-spam protection.
23% have no anti-spyware in place.
15% have no firewalls in place.
13% are operating without any security systems in place at all.
Source: http://press.pandasecurity.com/wp-content/uploads/2010/08/2nd-International-Security-Barometer.pdf
#ECIsecurity
Hedge Fund Security & The New World OrderApril 2012
Guess What, Hedge Funds?Lots of People Don’t Like You…
#ECIsecurity
Correction…They *REALLY* Don’t Like You…
Anonymous – We’ll talk about these guys and hedge funds specifically in a few moments…
#ECIsecurity
Or If You Are Lucky…Only Want to Steal From You…
#ECIsecurity
So How Do They Do It?
#ECIsecurity
Here is the Nasty APT Truth…You’re Already Compromised…
CEO - eSentire• Mined from Linkedin• Inserted into From fields
VP Marketing - eSentire• Mined from Linkedin• Sent to me
Context: Marketing Budget• Sensible topic and timing• All completely inference based
Exploit: Excel Macro• Dirt easy to run executable code• Tell me you would not click this?
Real Customer IssueA Super-Awesome Phish…• Hedge customers were also Stratfor customers
– They received this email only a week after Stratfor compromised– Sent this out based on harvested customer list
Malicious code filled link waiting on the recipient response
Founder and CEO Stratfor as sender
More Scary APT Fun… True Story• Utility company contracted by us for VA• We found a standard form PDF used by the company for
submitting job applications• Altered the PDF with an exploit via modified meterpreter
backdoor• Social engineered submissions via email into HR• Installed key loggers and obtained admin level access to
core network• Obtained access to bring down power to 50,000 people in
seconds if we were having a bad day… #ECIsecurity
Another Hedge Fund APT StoryFrom Krebs on Security• Cyber-intelligence firm contacts hedge fund IT
to inform it that it had been compromised• Either that or the hedge fund had a subsidiary
in China it knew nothing about• 15 PCs sending proprietary information back to
the attackers• Exploit missed by 42 anti-virus productshttp://krebsonsecurity.com/2011/10/chasing-apt-persistence-pays-off/#more-11589
#ECIsecurity
Scared Yet? We Haven’t Even Talked About Insiders / DLP…
#ECIsecurity
Employee DLP Threat: Malicious or Just Common Stupidity
• Intercepting an employee downloading the entire CRM database to her Gmail account
• That can’t be good… yeah, it wasn’t….• Leaving memory sticks attached to car keys• Computers stolen from cars, phones left in
bars, the lure of “getting it done”, etc. etc.• The many BYOD mobility issues
#ECIsecurity
Security: The New World Order
• No longer about indiscriminate “hacking”• Targeted, highly motivated attacks• Shortcomings of security tools / “layers”• Network extrusion realities• AUP & social media consequences• Due diligence of institutional investors• Legislation (i.e. Dodd-Frank)
#ECIsecurity
Multi-Stage Defense: Accepts Penetration as Fait Accompli
1. Initial Target Vehicle (i.e. email payload)Identification method: Behaviors
2. Carrier / ExploitIdentification Method: Signatures
3. ActivationOccurs locally on machine: SignaturesTypically where AV plays
4. Payload TransferIdentify: Behaviors & Signatures
5. AttackIdentify: Behaviors & Signatures
#ECIsecurity
Result: Whitelist Behaviors, Not Explicit Signatures
Executable downloaded from Russia:Going on a limb here but… probably bad for most hedge funds…
Silverlight updates:Normal
What You Should Do:Get Protected…
1. Internet acceptable use policy updated2. Identify key assets to protect3. Inventory your defences4. Vulnerability scan & penetration testing5. Vulnerability multi-dimensional analysis
#ECIsecurity
What You Should Do:Stay Safe…
1. Advanced Persistent Threats 24X72. Data Extrusion 24X73. Social Media Monitoring 24X74. Whitelisting 24X75. Forensic Traffic Analysis: Always Recording
#ECIsecurity
Network Security Threats Exposed:How to Keep Your Firm’s Data & Infrastructure Safe
Potential Security Risks
Cyber attacks & other intrusions
Inbound DMZs
Internal threats
#ECIsecurity
Basic Security Best Practices
Anti-virus protection
Network firewall
Web filtering
Strong password policy
You should already be doing!
#ECIsecurity
Enhanced Security Best Practices
Intrusion detection– Important to monitor your network and protect your
assets– You need more than just a firewall/anti-virus
protection
Advanced Password Policy– Multi-factor authentication
Policies & Procedures for Security Management
You should think about doing!
#ECIsecurity
Policies & Procedures to Support Security Management
Access Control Policy– Who has access to what?– Principle of Least Privilege: Not everyone needs access
to everything.– Keep an authentication/access log, e.g. AuthAnvil
Acceptable Use Policy– Network and system access, email and
communications, social media, etc.
#ECIsecurity
Policies & Procedures to Support Security Management
Information Security Incident Management Policy– Process for dealing with a security incident– Who is responsible for handling incidents? What does
the reporting & investigation process entail?
Securities/Insider Trading Policy– Make sure employees understand the repercussions of
insider trading!
#ECIsecurity
Policies & Procedures to Support Security Management
Visitor/Contractor Premise Access Policy– Need to monitor access/activity of both internal and
external people– Use physical security checkpoints/surveillance
Personal Communications Device Policy– What is acceptable behavior for mobile devices?– Include information on data usage, texting, personal
usage and loss/theft procedures
#ECIsecurity
Eze Castle Integration Overview
Founded 1995
Headquarters
Additional Offices
260 Franklin Street, 12th Floor, Boston, Massachusetts, 02110
Chicago, Dallas, Geneva, Hong Kong, London, Los Angeles, Minneapolis, New York City, San Francisco, Singapore and Stamford
Core Services
• Strategic IT Consulting• Outsourced IT Solutions• Professional Services• Project & Technology Management• Communications Solutions• Network Design & Management• Internet Service
• Private Cloud Services• Business Continuity Planning• Disaster Recovery• Compliance Solutions• Storage Solutions• Colocation Services• E-Mail & IM Archiving
Awards Received
260 Franklin Street, 12th floor Boston, MA 02110 617-217-3000 www.eci.com