Cybersecurity and Hedge Funds: A Two-Way Street to Automaticity

By Mary Beth Hamilton | Thursday, April 9th, 2015

This article first appeared on Opalesque as part of an ongoing series on hedge fund cybersecurity.

As the frequency of cyber-attacks increases, so too do the maturity of attacks and their methods of prevention and remediation. Think of cybersecurity as a two-way street. One side is trying to deceive and breach, and the other is trying to protect, prevent and detect. The commonality is both are progressing towards automaticity.

Cybercrime: The Evolving Chameleon

A common misconception about cyber-attacks is that they only take the form of fake virus alerts, spam, outlandish emails and the like. On the contrary, a threat can take many forms, and cyber criminals are getting smarter. Today, hacktivists target the automaticity of our behaviors, responses and daily routines. This applies to both the human and business side of things. Cyber criminals now study and familiarize themselves with the daily activities and internal processes of firms to identify gaps and find a way in. The idiosyncrasy is in the simplicity with which cyber schemes are pulled off.

Let’s examine the relatively new technique known as a 'watering hole’, for example. This type of attack occurs when a hacker compromises a website by incorporating malicious code within the page, typically, through exploiting script vulnerabilities. Unbeknownst to the web surfer, he or she is attacked upon simply visiting the compromised website. Cyber criminals select landing pages based on geographic location, entity or general user class. It could be as innocent as an employee ordering lunch for a group meeting via a restaurant’s digital menu, for example. What the employee doesn’t realize is how these sites can download a payload into his or her company’s system with one click. Click fraud enables the hacker to collect money along with banking information somewhat like a virtual vortex, and that’s just the beginning. Zooming out to the bigger picture, multiply this user by hundreds, maybe even thousands contingent on the site’s popularity. The result is a domino effect of infected systems and stolen data.

Websites chosen as the designated watering holes, or unwitting accomplices, can experience extreme resultant damages ranging from monetary and client loss to tarnishing an established reputation. Since many smaller firms and startups don’t have security monitoring for their corporate websites due to budgetary limits, it could be a long time until they discover their site has been compromised.

Click fraud sheds light on another hack method, malvertising. Hacktivists use this strategy to carry out targeted exploits, build botnets and disseminate banking malware. These criminally-controlled adverts appear identical to legitimate advertisements and can be found on any website – often ones that would appear in your browser history. For example, in February 2014, advertisements on YouTube distributed malware to consumers’ computers just by watching the video. A second method of malvertising is when victims are enticed to purchase phony advertisements and bid up to drive search engine optimization (SEO) and improve search rankings. When the ad is up and running, it redirects to a malicious site rather than the company’s elected landing page.

A more popular and extremely successful method of cyber-attacks is known as spear phishing. Spear phishing is a targeted email that appears to be from an individual or business that you know, but is really from a hacktivist. The message usually requests the recipient to take some type of action, whether that be checking his or her voicemail, renewing an order, transferring funds, etc. It was recently reported that the CFO of a hedge fund mistakenly wired $1.5 million to criminals this past March after a phishing attack. Successful campaigns require deep knowledge of what sources victims usually receive emails from, which emails they tend to click URLs within and how to disguise their spoof email so it appears as though it is being delivered from a trusted source. It’s critical that employees do their due diligence and investigate emails with caution by checking email addresses, spelling, logos and URLs as many will be just one or two letters off from the authentic address. Employees should also verify the email’s legitimacy with appropriate departments.

Cyber criminals will also go the lengths of placing an infected USB drive labeled with "confidential info" outside of a firm’s office. The device is left as bait for a curious employee who will then bring the drive inside and insert it into a computer. Upon insertion, viruses pour into the system, compromising and obtaining confidential data. Many of these mentioned cyber strategies target the human stream of consciousness, or our natural counteractions and daily habits. We trust someone, therefore, we open an email believing it is from that individual. We order food and in good faith, believe our favorite restaurant has a trustworthy site because repercussions never ensued as a result of ordering food before. And finally, we are curious by nature, but for some, this can lead to extreme cases of fault.

Curbing the Epidemic and Shoring Up Security

So, what can we do to circumvent and thwart cyber-attacks? On the opposite side of the causeway are our cybersecurity experts and enthusiasts, trying to curb this epidemic with advanced security and detection tools. As hacking techniques progress towards automaticity, so do safeguards and active threat prevention technologies and services. Private cloud providers, such as Eze Castle Integration, are building deep security protections into their services to deliver continuous protection. Firms must do their part and employ Written Information Security Policies (WISP) and controls to verify that all systems are fully safeguarded. This defense in depth technique helps mitigate the risk of an attack, in addition to, recovering from a breach should an incident occur.

Investment firms should also educate employees on cybersecurity, necessary precautions and best practices. Furthermore, when considering outsourcing IT, solution providers should not only be questioned on their portfolio of services, but also on their policies and offerings regarding information security, safeguards, disaster recovery and vendor partnerships.

In today’s world, cybercrime is prevalent and information is king. To effectively combat the ever-evolving threat landscape, we must shore up our security measures and safeguard proactively.