Teams across our company are hard at work testing, validating and implementing the many new patches being released from vendors, including Cisco and Microsoft, as a result of the KRACK (‘Key Reinstallation Attacks’) vulnerability.
Warnings around the new vulnerability, KRACK, made headlines earlier this week as its identification meant that virtually any Wi-Fi enabled device could be made vulnerability to exploit. This latest exploit also reinforces the importance of being prepared to execute both reactive and proactive patch management measures.
Yet when it comes to patch management, most firms do not have the internal resources necessary to effectively monitor, test and roll-out patches in a timely fashion. Remember the Equifax breach? It is widely reported the Equifax breach occurred because the company missed a patch to address an application vulnerability, which the criminals later exploited.
You Need a Patch Management Service
Outdated systems are dangerous yet all systems can become dangerous if left unpatched. That’s why we recommend looking at a patch management service. Companies – such as Eze Castle Integration! – can provide fully managed patch services to ensure software and firmware remain up-to-date and are proactively monitored to prevent security bugs and malicious exploits, reducing overall firm risk.
There has been discussion for years about whether public or private cloud platforms were more suitable to financial and investment management firms. And that debate continues, but with the addition of a new player – the hybrid cloud.
While the public cloud receives praise for its flexibility and potential cost savings and the private cloud for its robust security and reliable performance, the hybrid iteration essentially marries these features to create a compelling package for firms who don’t fit naturally into the previous two categories.
As its applicability continues to surge, it is worth understanding the concepts and benefits behind the hybrid cloud. Let’s take a look at what makes hybrid environments appealing to some organizations:
Agility & Flexibility: A hybrid cloud model allows a company to combine public cloud assets with those in a private cloud to increase agility and availability. For example, combine Microsoft Exchange and file services via the public cloud with robust security layers and 24x7x365 managed support via the private cloud, and suddenly you’re benefiting from the best of both worlds (hint: we’re talking about the Eze Hybrid Cloud).
During a recent webinar on operational due diligence, we explored the changing ODD environment for emerging managers, and our guest speaker, Frank Napolitani of EisnerAmper, helped shed light on some critical missteps that could cause ODD teams to veto an investment.
>> Click here to listen to our full conversation with Frank and hear more about operational due diligence trends
At the highest level, investor due diligence experts see the following as the most egregious red flags:
Dishonesty: Demonstrated in the form of failing to disclose or withholding information. This shows a lack of integrity.
Belligerence: When managers exhibit an ‘I’m never wrong’ attitude and are unwilling to listen to objective advice.
Incompetence: When a firm or manager’s skillset doesn’t align with the expertise required for a particular function.
More specifically, there are a number of red flags that can give investors pause and lead to either increased due diligence or an outright rejection. From a recent Deutsche Bank survey, keep reading for a few reasons:
Categorized under: Operational Due Diligence Cloud Computing Security Outsourcing Launching A Hedge Fund Private Equity Disaster Recovery Hedge Fund Operations Infrastructure Business Continuity Planning Trends We're Seeing
October is Cybersecurity Awareness Month, and since we've written A LOT about security over the last few years, we thought it would be helpful to share some of our favorite articles. Here are some of Eze’s latest and greatest cybersecurity articles - happy reading!
20 Cybersecurity Dos and Don'ts Your Employees Should Follow
What’s the Difference Between Next-Generation Firewalls and Traditional Firewalls?
Six Myths about Hedge Fund Cybersecurity
Is “Smart” Technology Invading Your Privacy?
Top 10 IT Security Audit Gaps and How to Avoid Them
An Achievable Calendar for Cyber Security Plan Implementation
Will Outsourcing Shield You from Cyber Threats?
Here Are Investment Managers' Biggest Cyber Security Fears
We all make mistakes, but when it comes to technology and investment operations, mistakes aren’t an option. So let’s look at seven common cloud mistakes we see financial and investment management firms make and talk about how to avoid them.
Mistake #1: Not Sizing Bandwidth to Business Needs
Determining the right amount of bandwidth comes down to the types of services being delivered and user expectations. Nothing ruins a cloud or really any computing experience like sluggish application and Internet performance.
Beyond bandwidth, firms must also consider latency. While latency issues don’t impact all applications (i.e. email is relatively insensitive) for others it is a killer. Latency has little place in trading applications or voice over IP services. When moving to the cloud, have a realistic conversation with the hedge fund cloud provider about the amount of bandwidth your firm really needs.
Mistake #2: Not Planning for Applications
Not all cloud platforms are equal especially when it comes to supporting hedge fund specific applications such as Order Management Systems or Portfolio Accounting Systems. While a hedge fund may not launch day one with one of these applications, there is a good chance they will require one in the future. To help mitigate future growing pains a hedge fund should plan for the future when evaluating cloud providers. Being shortsighted can result in future disruptions and integration pains.
With hurricane season fully upon us and Irma bearing down on Florida, firms must ask "Would my firm be ready if there were an emergency today?" and "Would your employees know what to do?" September is National Preparedness Month (NPM) which is sponsored by the Department of Homeland Security and FEMA’s The Ready Campaign in an effort to increase awareness for individuals, businesses, families and communities. NPM aims to encourage the public to make preparedness a part of their daily lives and stresses the importance of being ready for the unknown.
Why should you focus on being prepared?
By teaching your employees why to prepare, your firm will not only demonstrate its importance, but employees will also maintain this knowledge and expertise that will help keep the business operational. Preparation can mean the difference between a successful and failed recovery, both personally and professionally. Educating your employees on what they’ll need at home, where to go, who to contact, etc. will equip them with the right information they’ll require at the time of an incident. With the proper information readily available, employees can focus on helping resume business operations more quickly.
Hackers are tricky. And one common phishing attack trick is registering domain names similar to those of the targeted organizations with the goal of capitalizing on typos or fast readers. It is a modern day sleight of hand.
Here’s an example. You search for West Hamilton Capital and www.westhamiltoncaptal.com pops up. If the phishing site looks similar to the real website, there is a good chance a visitor could be fooled. Additionally, the domain can be used in phishing email scams.
That is why it is important for firms to keep an eye on their company’s domain name variations. Some firms may even wish to proactively register variants or block similar domains to reduce the risk of them being used in social engineering scams against employees.
How Do Firms Monitor Domain Registrations?
DNStwist is a domain name permutation engine for detecting typo squatting, phishing and corporate espionage. Another option is the domain name permutation service, DNStwister, which generates a list of domain names that are similar to the one that is inserted, checking to see if any of them are registered.
According to the DNStwister website, you can subscribe to receive alerts if a new domain is registered like yours, if an existing domain has changed IP address or has even been unregistered.
Here’s a sample DNStwister report for the fictitious West Hamilton Capital.
This article appeared in its entirety in HFMWeek Magazine in August 2017. Part 1 is featured below. Part 2 will appear on Eze Castle Integration’s blog in the coming weeks – stay tuned!
The security risks we face are ever changing, and it’s a full-time job trying to keep pace. Attacks can spread quickly (think: WannaCry) and disrupt systems, networks and operations to the point of disaster. And social engineering scams – e.g. sophisticated, well-timed phishing emails – are targeting users more frequently, meaning your guards need to be up, technology and otherwise.
Unfortunately, many firms often fall short when it comes to their cyber-security protections – and they don’t often realise it until it’s too late. These 10 common IT security gaps highlight areas where investment firms can take steps now to avoid risk in the future. These gaps are preventable, and when the next phishing email hits your inbox or ransomware attack strikes, you can rest easier knowing you’ve plugged these common security holes.
Risk management and governance
Who owns the risk at your business? Cyber strategy and programmes start at the top, so your leadership team/executive board should be involved in discussions around cyber-security preparedness. You should also appoint a Chief Information Security Officer (CISO) to oversee the firm’s security posture. Oftentimes, this individual holds a dual-role within the firm, also operating as the Chief Compliance Officer or Chief Technology Officer.
Risk management does not end with the CISO, however. There should be broad support and input across the firm with regard to cyber-security practices and governance policies.
Ransomware threats are on the rise – WannaCry and Petya are just the beginning. To prevent future cyber threats from causing harm, financial and investment firms should employ security practices that include deep layers of protection. Here are five suggestions to keep in mind:
Back up. Unfortunately, hackers initiating ransomware attacks aren’t exactly on the up-and-up. After they’ve stolen your files and demanded a ransom, they claim files will be decrypted and restored – but those promises are typically dishonest. Odds are, even if you pay a ransom (which you shouldn’t!), your files won’t be decrypted. That means backups are the only way to successfully recover your data. Ensure you leverage a secure and reliable backup and recovery tool that will de-duplicate, compress, encrypt and securely transfer your data to an offsite data center.
Scan. To construct appropriate defenses against external threats, including ransomware attacks, financial firms should conduct regular vulnerability assessments on their networks. These assessments are critical to detecting actual and likely vulnerabilities, including potentially outdated patches. Vulnerability assessments scan for malware, viruses, backdoors, hosts communicating with botnet-infected systems, known/unknown processes and web services linking to malicious content.
Summer is a great time to catch up on old projects, get ahead on fall/winter planning, and check off those bucket list items you’ve had your sights set on. On the technology front, it’s the perfect time to try out some new technologies and get organized.
Here are a few ideas for your summer IT bucket list:
When was the last time you changed your passwords? Have you performed a vulnerability test yet this year? To prevent internal and external cyber-attacks, your firm needs to have a plan in place around cybersecurity. There are a number of deliverables to keep track of, so we recommend using this handy cybersecurity calendar to stay on top of tests, assessments and recommendations.