Disruptive attacks on financial market infrastructures are on the up as hacktivists target large organisations such as stock exchanges and banks, or activities such as firms' credit card processing abilities.
So far such disruptions have not had dramatic effect, said Mark Clancy, DTCC's managing director of technology risk management, partially because the vast majority of the global trading interconnections between traders, exchanges and clearing houses happen on private networks rather than the internet itself.
"In many cases there are (back-ups) that don't have internet dependency," Clancy said. "Projecting forward, you see a lot of economic pressures for people to use the internet as a transport mechanism."
This would open up the financial system to greater levels of risk. In 2012, "Shamoon" targeted Saudi Aramco, shutting down thousands of the oil firm's work stations. A group named "Cutting Sword of Justice" claimed responsibility. In 2013, South Korea was hit by "Operation Troy", which wiped the hard drive of thousands of computers in the banking and media industries.
"Those are the types of attacks that can affect market infrastructures, exchanges, trading venues and traders and could have significant impact on the operational risks of those institutions today," Clancy said.
Cyber security risk market place
The Index of Cyber Security provides an ongoing, methodologically transparent measure of the state of cybersecurity. It will directly assess the level of risk as perceived by practicing security professionals, communicate their combined opinion to the larger community and provide a baseline status against which other individual practitioners can compare their own views. The challenge being tackled is how the index can be calculated in a credible way, and, second, the specification for the securities that could be based on such an index and the design of the markets where these could be traded.
Going forward, the index will deliver consistent time series data useful to researchers, industry professionals, the media, security product vendors, and financial markets. The specification for securities that could be based on such an index and the design of the markets where these could be traded could become a future project.
Insider threats are numerically far less prominent than external attacks but can be far more harmful, according to Index of Cyber Security's July report. However, media attention to cybersecurity failure has never been more dangerous to organisations that have such failures. For those and other reasons, it is unlikely that there isn't under some sort of pressure or directive to change how organisations deter and/or contain insider threats.
Applying security updates to hosts in a timely way, restricting local administrative privileges on user machines, keeping malware definition files up-to-date, blocking ports that are not required, segmenting the network to keep sensitive data away from the DMZ (demilitarised zone) and user networks, blocking web surfing from servers or non-user devices, keeping users educated, hardening and monitoring domain controllers, and using inexpensive or open-source vulnerability scans can foil all but the most determined attackers. If application whitelisting is practical, that makes the task of the attackers even more difficult. In short, practitioners should take the message of keeping good hygiene to management, and stress that defense is far from a lost cause as many pundits would have people believe.
Source: Index of Cyber Security
The motivations in play can be difficult to disentangle, but do tend to fall into four distinct groups - criminal, hacktivist, espionage and war-like. The financial system has been mostly concerned with protecting against the criminal activity such as theft, but protecting against other hazards is only just beginning.
"Hedge funds doing automated trading…have to be recognising that hacktivists, espionage, or war-like actors may decide that targeting an automated trading venue or trader might be the way to further their objective even if their motivation isn't to steal and that is something that the US financial infrastructure became very aware of in the last few years," he said.