Eze Castle Integration Eze Castle Integration

Hedge IT Blog

> Subscribe to Blog Entries about Security RSS

Outsourcing: Finding Common Ground in the C-Suite

By Lauren Zdanis,
Tuesday, May 23rd, 2017

Following is an excerpt from our whitepaper, Outsourcing Point-Counterpoint: Examining C-Level Perspectives at Hedge Funds and Private Equity Firms. If you want, click here to jump ahead and download the paper in full.

Outsourcing IT can be controversial across the C-suite. Your firm's CFO may see the move as financially responsible and a long-term strategic solution. Your CTO may have concerns about retaining control of the IT environment. Both sides have unique perspectives.

Just because CFOs/COOs and CTOs have different views into IT operations, outsourcing and the cloud, doesn’t mean there is no common ground. After all, both leaders ultimately want what’s best for investors and the firm. When you dig a little deeper, there are far more areas where CFOs/COOs and CTOs agree than where they differ when it comes to outsourcing IT. For example:

Risk reduction

The outdated due diligence argument against going to the cloud has been turned on its head in the current regulatory environment. CTOs may feel they’re doing the appropriate due diligence to manage all the risks themselves. However, assessing your own risk is incredibly challenging. To thoroughly evaluate risk as well as address investors’ five, 10 or even 20-page due diligence questionnaires about technology, partners, vendors, cybersecurity and operations, CTOs need to devote enormous amounts of time – repeatedly. Risk assessments are not one-and-done tasks. Vulnerabilities, particularly cybersecurity weaknesses, should be assessed in depth every six months, and remediation of identified issues must be addressed.

Categorized under: Outsourcing  Cloud Computing  Security  Hedge Fund Operations  Trends We're Seeing 



Guards Up, Phones Down: Avoiding Voice Phishing Scams and Social Engineering Tricks

By Kaleigh Alessandro,
Thursday, May 18th, 2017

Social engineering tools and tactics have transformed in recent years, and we often stress here on Hedge IT the importance of IT security, particularly when it comes to sophisticated phishing and spear-phishing campaigns via email.

One tactic we haven’t touched on is voice phishing (also known as ‘vishing’), which works towards the same ultimate goal – prompting an end user to take some kind of action that causes an exploit in the user’s system or a fraudulent wire transfer – except this time it’s done over the phone. 

Voice phishing scams are growing in popularity, often catching busy users at the end of their work day with their cyber defenses down, hoping they’ll ignore the best practices they’ve learned and instead provide sensitive information to the person on the other end of the phone.

Here are a few recent examples of voice phishing scams we’ve seen: 

  • IRS Robocalls. At the end of tax season earlier this year, many people found themselves fielding threatening calls from scammers posing as Internal Revenue Service employees insisting they’re owed money. Unfortunately, these robocall scams worked. According to the Treasury Inspector General for Tax Administration, more than 10,000 victims have paid a collective $55 million since October 2013. TIP: The IRS almost never contacts taxpayers via phone (or text, email or social media). If they want to get in touch, they’ll send you a letter. 

  • Department of Motor Vehicles. Of a similar nature, vishing schemes have popped up across the US with victims receiving phone calls from supposed DMV employees requesting payments, social security numbers and debit card information. Texting and social media have also become popular avenues for these scams. 

Categorized under: Security  Trends We're Seeing 



WannaCry Ransomware: What we know, Where we are

By Mary Beth Hamilton,
Tuesday, May 16th, 2017

The WannaCry ransomware attack is slowing as IT teams across the globe work to deploy patches, disable SMBv1 and recover files, but we are still very much in the midst of the situation. Here’s a look at what we know and what we can do in an effort to prevent future attacks.

What is the WannaCry Ransomware?

On May 12, 2017, a new strain of the Ransom.CryptXXX (WannaCry) ransomware began spreading globally, affecting a large number of organizations. WannaCry encrypts data files and asks users to pay a ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

We have learned that the bitcoin accounts have been abandoned, and there never was an automated decryption process, so victims should not pay the ransom. Recovery from backups are the best course of action.

How Did WannaCry Spread?

WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.

According to Microsoft, “A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”

How is WannaCry Stopped?

Applying the most recent Microsoft patches to environments will help protect computers from WannaCry infections. Another immediate remediation plan is to disable the specific system protocol known as SMBv1 to mitigate the risk of infection in relation to WannaCry.

Lessons Learned from WannaCry?

Experts warn the WannaCry may not be over just yet so we’ll tread lightly on ‘lessons’ learned but there are a few we can share:

Categorized under: Security  Trends We're Seeing 



This Week in Cybersecurity: Phishing & Ransomware Take Center Stage

By Katelyn Orrok,
Thursday, May 4th, 2017

What can hedge funds and private equity firms learn from the Google Phishing Attack?

Employees can either be your firm’s biggest strength or biggest threat when it comes to phishing. It is critical that your employees receive regular information security awareness training to better understand the types of security threats with the potential to hit their inbox.

Beyond annual training, managed and simulated phishing exercises (like Eze Managed Phishing & Training) are reliable, cost-effective tools to train users to identify red flags in emails and avoid succumbing to malicious attacks.

What Netflix Reminded Us about Vendor Risk Management

The Netflix security breach highlights the critical importance of managing third-party vendors for firms and businesses who rely on outsourced providers to support their operations. A few key reminders on vendor due diligence and risk management:

  • Understand who your outsourced providers are, what functions they provide and what data/systems they have access to

  • Consider sending regular requests for proposals (RFPs) and DDQ documentation requests to any third parties you are evaluating or those you are already engaged with

  • Continuously evaluate and monitor to ensure all parties are achieving their end goals and meeting expectations

  • Conduct regular vulnerability assessments and/or penetration tests to have a clear understanding of your IT security weakness

Remember: It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that provider in an effort to protect your own firm.

Categorized under: Security  Trends We're Seeing 



Hedge Funds and Private Equity Firms: What's Your Security Attitude?

By Kaleigh Alessandro,
Tuesday, May 2nd, 2017

If there’s one thing we’ve learned over the years when it comes to security, it’s that there’s a whole lot more to creating a secure investment firm than robust technology. Before identifying infrastructure components and implementing operational policies, a firm must first be clear on what its attitude is toward security. This attitude will filter through the company from the top down, and will therefore dictate how employees and the business as a whole operate on a daily basis.
 
To give you a clearer understanding of what we mean, we’ve created three security profiles that cover a wide spectrum in terms of security attitudes and practices.

Under the Radar: Low Security

If you’re attitude toward security is low, odds are you’re barely scraping the surface in terms of what practices and policies you should be employing to maintain proper security firm-wide. You likely rely on quick fixes to solve problems instead of looking at the bigger picture and thinking strategically about how security can both benefit and protect your business. You’ve employed minimal preparedness efforts and could be in for a difficult task if faced with a serious security incident. You probably take a “it won’t happen to me” attitude and don’t take security seriously enough – a stance that could endanger your firm in the long term.

Categorized under: Security  Operational Due Diligence  Outsourcing  Private Equity  Hedge Fund Operations  Infrastructure  Trends We're Seeing 



Incident Response: A Step-By-Step Guide to Dealing with a Security Breach

By Kaleigh Alessandro,
Thursday, April 27th, 2017

If your firm hasn’t fallen prey to a security breach, you’re probably one of the lucky ones. But you also probably won't be safe for long, as most firms, at some point in time, will encounter a cybersecurity incident. Cyber incidents today come in many forms, but whether a system compromise at the hands of an attacker or an access control breach resulting from a phishing scam, firms must have documented incident response policies in place to handle the aftermath.Panic Button

With the threat of security incidents at all all-time high, we want to ensure our clients and partners have plans and policies in place to cope with any threats that may arise. While this list is in no way comprehensive in detailing the steps necessary to combat cyber-attacks (and many steps will vary based on the unique type), here's a quick step-by-step guide to follow in the event your firm is impacted by a cybersecurity breach.

1. Establish an Incident Response Team.

Choose a select group of individuals to comprise your Incident Response Team (IRT). Assign each member a predefined role and set of responsibilities, which may in some cases, take precedence over normal duties. The IRT can be comprised of a variety of departments including Information Technology, Compliance and Human Resources.

Notably, your Incident Response Team should include your Chief Information Security Officer (CISO), who will ultimately guide the firm's security policy direction.

Categorized under: Security  Trends We're Seeing 



Hedge Fund Cloud Summit Five Years Later: What's Changed?

By Kaleigh Alessandro,
Thursday, April 20th, 2017

I love a good Throwback Thursday, and for today's post, I want to throw it back to five years ago this month. It was April 2012, and we were hosting one of our biggest and most ambitious events: a Hedge Fund Cloud Summit. At the time, cloud computing was widely discussed and adoption was certainly growing, but there were still a number of lingering questions heard across the industry with regards to financial and business impacts of the cloud, effects on in-house IT staffs and, of course, security. 

We still answer many questions related to these topics today, so I thought it might be fun to take a look back at the four panel topics we addressed back in the 2012 event and examine how much the conversation has really changed - or in some cases, how perhaps it's stayed the same. 

Making the Business (and Financial) Case for the Cloud

For hedge fund COOs and CFOs, the business impact of a move to the cloud is still a critical consideration for established firms. But many of the myths and common questions that were prevalent back in 2012 are now pretty easy to explain. How do investors feel about the cloud? In 2017, investors are generally comfortable with the cloud if not in favor of it over legacy, on-premise IT infrastructure setups. Is the cloud really more cost-effective? This question was a long-standing 'myth' that's been debunked; for some firms, yes, costs may be lower depending on their previous infrastructure and personnel situation, but for all, the predictability of cost is what has become a primary driver for cloud adopters. 

Categorized under: Cloud Computing  Security  Operational Due Diligence  Outsourcing  Launching A Hedge Fund  Private Equity  Hedge Fund Operations  Infrastructure  Trends We're Seeing 



Here Are Investment Managers' Biggest Cyber Security Fears

By Kaleigh Alessandro,
Thursday, April 13th, 2017

There’s a lot to fear in the cyber world: rogue nation states, professional cyber criminals and would-be hacktivists, just to name a few. Their weapons of choice vary in scope and substance, but regardless of the threat actor, investment management firms must employ rigid and resilient protections to ward off the equally sophisticated cyber threats that continue to surface.

During a webinar earlier this year in which we detailed various levels of cybersecurity firms should consider, we asked our attendees to identify what they determined to be the most concerning cyber threat to their business.


biggest cybersecurity fears for hedge funds


Let’s break down these numbers a bit and explain why these cyber threats are eliciting the most fear.

Unauthorized access or theft of data (31%)

Nearly a third of firms selected this as their biggest cybersecurity fear, making it the most common fear among our respondents – and we can understand why. There are a number of ways threat actors and hackers can gain entry into a firm’s systems/network (we’ll talk about those below), but ultimately, that unauthorized access/theft of the company’s data or sensitive information is what could lead to its downfall. From malware threats to social engineering scams to denial of service attacks, threats that results in your firm’s data and assets ending up in the wrong hands are a serious concern.

Categorized under: Security  Private Equity  Trends We're Seeing 



Top 10 IT Security Audit Gaps and How to Avoid Them

By Katelyn Orrok,
Tuesday, April 11th, 2017

When it comes to cybersecurity there are many factors that you need to be conscious of. During a recent webinar, speakers from Eze Castle Integration and Wolf & Company shared 10 of the most common cybersecurity gaps identified during an IT audit/risk assessment. We’ve listed the top 10 below and shared some particulars on a few of the most critical (in our opinion). For more detail on how these gaps are presenting themselves – and also best practices for avoiding them – click here to listen to the full webinar replay

Top 10 IT Security Gaps  

  1. Risk Management and Governance

  2. IT Asset Management

  3. Vulnerability Assessments

  4. Patch Management 

  5. Social Engineering & User Training 

  6. Business Continuity Planning

  7. Multi-Factor Authentication

  8. Third Party Vendor Management 

  9. User Provisioning and Management 

  10. Incident Response Planning/Procedures 

Risk Management and Governance

Responsibility and accountability for risk management starts in-house – and at the top. Even for firms that rely on third party outsourced providers, it’s imperative (and often overlooked) to establish governance controls and outline who internally maintains ownership of the firm’s security posture – and more broadly, who owns the firm’s risks. 

Categorized under: Security  Operational Due Diligence  Outsourcing  Private Equity  Hedge Fund Operations  Infrastructure  Business Continuity Planning  Trends We're Seeing  Videos And Infographics 



IRS Phishing and Malware Scams Abound, Here’s How to Avoid the Bait

By Mary Beth Hamilton,
Tuesday, April 4th, 2017

As April 18th (US) and April 30th (Canada) near, cyber scammers are pulling out all their tax scams to trick consumers and capitalize on the flurry of activity. Our friends over at Proofpoint say that “this year, [they have] tracked malware distribution in addition to the customary phishing schemes among the email threats related to federal taxes.”

The IRS is also urging people to remember that “the IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

So to help our clients stay vigilant, we’re highlighting some recent phishing tricks and sharing phishing flags every employee should recognize.

IRS Phishing and Malware Scam Examples

Example 1: Malware Distribution

This first example centers on malware delivery and was identified by the Proofpoint researchers who analyzed numerous tax/IRS-related phishing emails. In this IRS phishing campaign, the recipient was asked to read the IRS Privacy Policy, which was attached to the email (hint: don’t open unexpected attachments!). With this campaign, once the attachment was opened and the embedded macros where enabled, the macros downloaded malware (Dridex botnet ID 1105).


IRS malware scam email by Proofpoint

Categorized under: Security  Operational Due Diligence  Hedge Fund Operations  Infrastructure  Trends We're Seeing 



View earlier posts in the archive

Recent Posts / All Posts