Teams across our company are hard at work testing, validating and implementing the many new patches being released from vendors, including Cisco and Microsoft, as a result of the KRACK (‘Key Reinstallation Attacks’) vulnerability.
Warnings around the new vulnerability, KRACK, made headlines earlier this week as its identification meant that virtually any Wi-Fi enabled device could be made vulnerability to exploit. This latest exploit also reinforces the importance of being prepared to execute both reactive and proactive patch management measures.
Yet when it comes to patch management, most firms do not have the internal resources necessary to effectively monitor, test and roll-out patches in a timely fashion. Remember the Equifax breach? It is widely reported the Equifax breach occurred because the company missed a patch to address an application vulnerability, which the criminals later exploited.
You Need a Patch Management Service
Outdated systems are dangerous yet all systems can become dangerous if left unpatched. That’s why we recommend looking at a patch management service. Companies – such as Eze Castle Integration! – can provide fully managed patch services to ensure software and firmware remain up-to-date and are proactively monitored to prevent security bugs and malicious exploits, reducing overall firm risk.
On our recent Emerging Manager Trends in Operational Due Diligence webinar, we looked at how today’s emerging managers face a number of challenges from fierce competition to the rapidly evolving investor IT due diligence process, especially in terms of scrutiny on technology processes and security safeguards.
The reality is that investors have a greater understanding of technology, are asking more probing due diligence questions and care about the responses they receive. In recent years the depth of DDQ questions around information technology and security has expanded as investors become increasingly savvy about IT and headlines around IT risks have grown.
Here at Eze Castle Integration we regularly assist our clients in completing the IT portions of investor due diligence questionnaires. The wording of questions varies but here is a handy list of 51 common IT due diligence questions we see.
- Provide an organization chart for the Company, its affiliates and key personnel.
- Provide the physical address and general contact information for each of the Company’s office locations.
- Provide the name and contact information of the Company employee(s) assigned to the client’s account(s).
- Provide a list of compliance personnel, their roles and qualifications, the date of his/her appointment and position within the Company’s organizational structure.
From time to time, we like to introduce new voices to our blog and pick their brains about technology trends and industry observations. Most recently, I sat down with Eze Castle’s Director of Technical Architecture, Bob Shaw, to discuss cybersecurity and how clients are responding to increasing threats.
1. Earlier this year, the WannaCry outbreak made a lot of waves and forced firms to reevaluate their protections against ransomware. What would you say is the biggest takeaway from the WannaCry incident?
BS: The first thing I would say to firms – and it sounds simple but it’s not always a given – is don’t pay the ransom! You’ll never get your files back. That’s where the second part comes in, and that’s always have backups. Backups are the only fool-proof method for recovering your data, and it’s critical that firms use robust and secure backup and recovery tools to safely store their files and protect them against these types of incidents.
2. What’s the technology you’re most excited about right now that’s helping firms guard against cyber threats?
BS: Next-generation firewalls are really interesting and effective. We work with Palo Alto to deliver these to our clients, and when we lay out the facts, it becomes pretty evident how beneficial they are. Older, port-based firewalls can’t necessarily detect that traffic is doing, but next-gen firewalls have the ability to analyze unknown traffic and simultaneously develop protections to safeguards networks. Firms also have greater visibility and control in managing applications and content to uniquely implement security protections for their infrastructure.
There has been discussion for years about whether public or private cloud platforms were more suitable to financial and investment management firms. And that debate continues, but with the addition of a new player – the hybrid cloud.
While the public cloud receives praise for its flexibility and potential cost savings and the private cloud for its robust security and reliable performance, the hybrid iteration essentially marries these features to create a compelling package for firms who don’t fit naturally into the previous two categories.
As its applicability continues to surge, it is worth understanding the concepts and benefits behind the hybrid cloud. Let’s take a look at what makes hybrid environments appealing to some organizations:
Agility & Flexibility: A hybrid cloud model allows a company to combine public cloud assets with those in a private cloud to increase agility and availability. For example, combine Microsoft Exchange and file services via the public cloud with robust security layers and 24x7x365 managed support via the private cloud, and suddenly you’re benefiting from the best of both worlds (hint: we’re talking about the Eze Hybrid Cloud).
During a recent webinar on operational due diligence, we explored the changing ODD environment for emerging managers, and our guest speaker, Frank Napolitani of EisnerAmper, helped shed light on some critical missteps that could cause ODD teams to veto an investment.
>> Click here to listen to our full conversation with Frank and hear more about operational due diligence trends
At the highest level, investor due diligence experts see the following as the most egregious red flags:
Dishonesty: Demonstrated in the form of failing to disclose or withholding information. This shows a lack of integrity.
Belligerence: When managers exhibit an ‘I’m never wrong’ attitude and are unwilling to listen to objective advice.
Incompetence: When a firm or manager’s skillset doesn’t align with the expertise required for a particular function.
More specifically, there are a number of red flags that can give investors pause and lead to either increased due diligence or an outright rejection. From a recent Deutsche Bank survey, keep reading for a few reasons:
Categorized under: Operational Due Diligence Cloud Computing Security Outsourcing Launching A Hedge Fund Private Equity Disaster Recovery Hedge Fund Operations Infrastructure Business Continuity Planning Trends We're Seeing
October is Cybersecurity Awareness Month, and since we've written A LOT about security over the last few years, we thought it would be helpful to share some of our favorite articles. Here are some of Eze’s latest and greatest cybersecurity articles - happy reading!
20 Cybersecurity Dos and Don'ts Your Employees Should Follow
What’s the Difference Between Next-Generation Firewalls and Traditional Firewalls?
Six Myths about Hedge Fund Cybersecurity
Is “Smart” Technology Invading Your Privacy?
Top 10 IT Security Audit Gaps and How to Avoid Them
An Achievable Calendar for Cyber Security Plan Implementation
Will Outsourcing Shield You from Cyber Threats?
Here Are Investment Managers' Biggest Cyber Security Fears
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a financial firm undertakes when outsourcing a function of its business to a service provider is enormous. Not only is the firm relinquishing control to an outside vendor, it also takes on the added burden of managing that company, in addition to its own.
I recently interviewed Eze Castle Cybersecurity and Data Privacy Analyst, Matt Donahue, and we spoke about how hedge funds, private equity firms and other alternatives can roll out and improve third party risk management programs.
Within an organization, where does the accountability for risk live and how do third parties fit into that structure?
Typically, when firms think about where responsibility and accountability live within their organization they mention compliance or information technology – when, in reality, there should be a sense of responsibility at almost every level. As we’ve noted before when talking about establishing a culture of security, tone should be set from the top down – and in this case, risk management responsibility starts at the top also.
If you’re making decisions with only a single lens on technology or cybersecurity or any one area – you’re missing the big picture. Senior execs bring a high-level view point that will help the risk management program align throughout the entire organization.
Today’s emerging managers face a number of challenges: fierce competition and demanding investor expectations tops among them. With operational due diligence processes evolving rapidly, how can emerging managers differentiate themselves and make an impression on suspecting investors?
During a recent webinar, speakers from Eze Castle Integration and EisnerAmper discussed the current environment for emerging managers and examined the following topics:
Key Qualities Investors Look For
Red Flags for Emerging Manager Investors
Investors IT Expectations
Why Firms Look to Outsource
Below is an excerpt from our whitepaper, 'Cybersecurity for Private Equity'. Click here to download the full whitepaper.
As private equity firms become more dependent on outsourcing and adopt new technologies to support operations, the number of threats they expose themselves to increases exponentially. It can be a daunting task to stay on top of the new and evolving risks at hand, but meticulous attention needs to be employed to mitigate these ongoing threats.
Today’s hackers and cyber criminals are not only targeting IT systems, but humans as well. Attacks vary in target, size and motive, but all pose serious risks to your firm’s wellbeing, thus it’s vital to be aware of common threat types targeting your firm and the broader private equity community. Here are a few to be mindful of:
In addition to taking advantage of human errors and naiveté, today’s hackers are also incredibly successful at identifying gaps in technology that can lead them to profit (monetary or otherwise). One of these most critical gaps is a lack of adequate and timely patch management.
Software vulnerabilities have turned heads in 2017 with news-making ransomware outbreaks such as WannaCry and Petya calling attention to outdated patches and legacy technology. First, hackers look for an entry point: often a phishing email or other social engineering scheme intended to fool users into leaving a gateway open. Once inside a firm’s network, there’s no telling the damage a hacker can do, but we’re witnessing increased activity and success in exploiting these security holes caused by inadequate patching.
What can firms do to address this security gap? Unfortunately, the problem of patch management cannot be resolved with one click of a button. Successful and ongoing management and monitoring of security patches requires a diligent effort – and one that cannot be 100% automated. Regardless of size, most firms do not have the internal resources required to manage frequent patch roll-outs, particularly for firms leveraging a host of third-party applications.
To sustain the highest levels of resiliency and prevent software vulnerabilities from causing harm on their own or at the hands of malicious hackers, firms should look to implement a patch management service. Companies – such as Eze Castle Integration! – can provide fully managed patch services to ensure software and firmware remain up-to-date and are proactively monitored to prevent security bugs and malicious exploits, reducing overall firm risk. This means seasoned IT experts are keeping pace with a constantly changing threat landscape, enforcing consistent IT policies to eliminate weak links and reducing overhead so your IT resources can focus on more complex tasks.