Last week, we hosted a webinar on hedge fund security and the internal and external threats firms should be aware of. Following is a short recap of the material presented by Eldon Sprickerhoff of eSentire – a leader in the managed security services space.
For hedge funds and their investors, the reality of cybersecurity threats is a serious one and one that must be proactively and consistently monitored. Investors today expect firms to take steps to thwart potential security threats, which means using vulnerability assessments and penetration tests to identify possible risks.
The truth is that most successful cybersecurity attacks in today’s environment occur via three different methods: malware via email, malware via download and transfer via USB. In most cases, an employee will download an unsuspecting virus or open an unsuspecting email, triggering a malware attack that could open the door for further intrusion. Alternatively, a trend becoming more common is the threat of employees transferring information onto USB drives (whether knowingly or unknowingly), resulting in an internal security breach.
Externally – and regardless of the intrusion method – attacks typically follow a similar path from start to finish. Global security firm Lockheed Martin has identified steps to what they call the “cyber kill chain.”
- Reconnaissance: Collecting information and learning about the internal structure of the host organization
- Weaponization: How the attacker packages the threat for delivery
- Delivery: The actual delivery of the threat (via email, web, USB, etc.)
- Exploitation: Once the host is compromised, the attacker can take advantage and conduct further attacks
- Installation: Installing the actual malware, for example
- Command & Control: Setting up controls so the attacker can have future access to the host’s network
- Actions or Objections: The attacker meets his/her goal (e.g. stealing information, gaining elevated privileges or damaging the host completely)
While the steps may seem well thought-out and can be easily executed by an attacker, the benefit to understanding the cyber kill chain is that it gives the host a chance to counteract. The sooner into the cyber kill chain the host can identify the threat, the better chance it has of thwarting it.
And there are several options for thwarting attacks, depending on the stage in which the attack is identified. Mitigation activities on the host’s part can include: detection, denial, disruption, degradation, deception and destruction. Creating a course of action based on various scenarios and a firm’s current abilities to thwart attacks can gauge effectiveness against such intrusions and provide areas for improvement in a firm’s defense strategy.
As part of an overall strategy, firms should also look to implement the following simple best practices to help prevent costly attacks:
- Enforce strong passwords and (at least) two-factor authentication
- Remove local admin privileges when possible
- Keep patches up-to-date for Microsoft, Adobe, Java Runtime and browsers (the most common threats originate here)
- Restrict executable downloads and installations
Watch below for a full replay of the webinar: Turning Hedge Fund Security Inside-Out!
Be sure to come back to Hedge IT on Thursday for Part 2 of our webinar recap featuring an overview of essential policies and procedures to support technology and operations management as well as a look at mobile device management!
Photo Credit: eSentire
- New Considerations for Launching a Hedge Fund: Insights from the experts
- Corporate Essentials for Successful Hedge Fund Startups
- Recapping a Busy Week in Cyber Security Across the Globe
- What Do Hedge Fund Investors Ask About IT? A Technology DDQ cheat sheet
- Webinar Recap: What Investment Firms Need to Know about Social Media Compliance
- business continuity planning
- cloud computing
- data loss prevention
- disaster recovery
- eze castle milestones
- hedge fund due diligence
- hedge fund marketing
- hedge fund operations
- hedge fund regulation
- help desk
- high frequency trading
- launching a hedge fund
- privacy compliance
- project management
- real estate
- startup & relocation
- trends we're seeing
- videos and infographics