Six Considerations for Investment Advisers and the CCO
The concept of “Attack Surface” with respect to IT program exposure has become more relevant due to the advent of new technologies such as cloud-based services and applications, the proliferation of mobile devices for business use, and the acceleration of breach activities.
As your responsibilities as a Chief Compliance Officer have increased, the expectation is for you to maintain contact with complex processes such as IT Security/Cybersecurity and we believe that adding the concept of Attack Surface Analysis and Reduction to the lexicon of your Information Security Committee and Risk Committee behooves you.
Are We Even Considering our Firm’s Attack Surface?
Attack Surface is the simple concept of defining the number of points where an attacker could gain access to data and get it out of your business. Another way of thinking about this is the exposure that your firm has through reachable and exploitable vulnerabilities. Your firm can increase or reduce this exposure based upon the addition or subtraction of specific services. This concept applies to both the macro level of infrastructure- networks, systems, and applications- and the micro level of functionality and configuration complexity of such avenues.
Notions of Attack Surface can also be applied to services and functions of your business such as new business lines, investment strategies, and types of clients. Exposure can also be equated beyond the technical risks of technology vulnerabilities to Regulatory and Legal risks. For example, we all know that dual registrants with both brokerage and advisory concerns may carry greater regulatory risk as this is an area of focus with the SEC. Potential legal risk and your firm’s attack surface may both increase based upon the amount of Personal Identifiable Information collected and methods used for storage and access. A glaring example of this concept is the recent R.T. Jones (RTJ) enforcement where the firm increased its attack surface through the use of a third-party webserver, and further multiplied the risk by utilizing an application which aggregated the PII of thousands of non-RTJ clients. Did anyone at the Information Security or Risk Committee level ask, “Are we increasing our attack surface in an unacceptable manner or beyond our defined risk tolerance?” The answer was likely no.
We suggest that you think about Attack Surface with respect to three common areas of vulnerabilities for investment management firms:
- Physical security such as the use of remote or home offices for business purposes and access to corporate networks;
- The addition of new services, networks, systems, and applications such as a cloud-based Customer Relations Management (CRM) tool or a client portal; and
- The Human attack surface of your employees who are subject to errors, social engineering, and could, unfortunately, be malicious actors themselves.
This final point – the human touchpoint – is heavily emphasized in the recent 2015 Cybersecurity Exam Initiative (“The Sweep Part 2”), as Training would be a primary means of reducing the attack surface concerning your employees, and the Sweep Part 2 has further emphasized training as one of the 6 areas of focus with attention to the specific roles of your staff members.
Now that you are considering your risk identification methodology in order to begin quantifying your firm’s attack surface, we would recommend reviewing and implementing the following six steps to simultaneously reduce your corresponding risk:
- Limit or control the use of Personal Systems and Devices for business purposes. This is not a revolutionary concept, but we often find that key personnel with broad access to business resources utilize multiple systems and devices for convenience. While all of these devices can be placed under Central Administrative Control with enforced policies, each device represents another potential attack vector and temptation for the creeping dissemination of business files and information. Personal systems used for business represent a substantial challenge because of a lack of basic controls (complex passwords, timeouts, lockouts) and the failure to patch and update antivirus definitions. Either issue business systems/laptops or get under Central Administrative Control. Reduce your attack surface by eliminating unnecessary systems.
- Eliminate unnecessary or seldom used Wireless Networks. We mention this in part because we have seen high-level IT personnel and CISOs simply taking out wireless networks. While a well-planned and fully segregated wireless network can serve a purpose in permitting communications via personal devices, a convenience and concession to your employees, other vulnerabilities may arise in exposing employee personal information or the attempted use of devices on both personal and business networks. Too often we see integrated wireless networks which expose critical business systems. Reduce your attack surface by eliminating or properly managing wireless networks.
- Manage applications with cross-device capabilities. The biggest offenders here are personal, cloud-based storage applications such as DropBox, which employees install or utilize on both business and personal systems and devices. DropBox has a business class service which permits central administrative controls, access and authorization settings (multi-factor authentication which is also available in the personal version), and monitoring. It is not the use of DropBox or other cloud-based applications, per se, that causes a problem, but rather the utilization of personal accounts which cannot be controlled or monitored. The same is true for well-known business applications such as the SalesForce CRM, which has an App for cross-device use and a chat function, both of which can increase the attack surface of this application, your networks/systems, and underlying information if not understood and properly managed.
- Restrict personal email account use on business systems. Too often we see firms with real IT competence, extensive budgets, and impressive security stacks leave the proverbial windows open through the use of personal email access. This is a political hot potato at businesses as users desire some level of freedom with their systems but a great deal of breach, even at the Advanced Persistent Threat level, is initiated through simple email scams. The FBI warned about personal email use on critical systems back in 2012. Personal email is also a common path for data exfiltration, which is addressed in the Sweep Part 2 under Data Loss Prevention (DLP). The risk/reward ratio for personal email use simply does not make much sense in high-risk business environments. Along with personal applications and apps which open several attack vectors, consider getting with the eventual trend which is toward killing personal email use.
- Properly manage personnel access rights and segregation. This is another major point from the Sweep Part 2: that your firm needs an orderly program for onboarding and offboarding employees and for managing access rights in the event of role change or termination. Conduct an Active Directory audit for role-based access to PII, intellectual property, and network resources. Establish access on a need-only basis and make sure you fence off existing employees and remove terminated employees.
- Understand Application Level Risks. Application level security, coding, and configuration is a complex subject, but what CCOs should know, especially if your firm has a development and proprietary application component, is that attack surface analysis applies here as well. Unfortunately, you may have to ask some questions at the next Information Security Committee or Development meeting. The Open Web Application Security Project (OWASP) sums up the application attack surface in the following points:
- the sum of all paths for data/commands into and out of the application, and
- the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and
- all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and
- the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).
Conclusion:
Attack Surface Analysis is a vehicle for risk management within the Change Management process. While your firm may not have an intricate Enterprise Risk Management or Change Management program, the concept of Attack Surface Analysis and Reduction can be evaluated at the Compliance, Operational, and IT program levels. In its simplest application, the concept of reducing a firm’s attack surface may be better applied to smaller firms who can accomplish enhanced security through draconian measures of tighter controls and limited complexity. Dan Chenok, formerly of NIST, once stated that “the only way to 100% protect yourself from attacks is to turn off your computers.” We would add as a corollary to this notion that you can harden security at your firm by closely examining potential attack vectors and reducing exposure to these areas.
Finally, the discussion of attack surface would not be complete without mentioning Vendors, another regulatory hotspot and the subject of increasing demands for formalization of due diligence. While you are outsourcing specific activities and functions, you must consider exactly how you may be increasing your firm’s attack surface.
For Further Reading: (Opens In a New Window)
The FBI’s 2012 Alert on Personal Email on Critical Systems (PDF)