Rob is an advisor in Cincinnati at a firm with some half a billion in assets. He’s always thought his cybersecurity was pretty good and figured his firm would be a fairly unappealing target for thieves and hackers.
Still, he decided to go one step further and get a penetration test—paying professional good-guy hackers to try to break into his company’s systems and test his weak spots.
He felt confident. He had a brother who worked in IT security at a big company and felt he knew the risks pretty well. So he paid a security firm to have people camp out inside the back of his office; indeed they had trouble breaking into his computers.
But he wasn’t thinking about his copy machine and scanner, which might have high-value information like tax returns or investment statements. Like many other machines, copiers have default administrative passwords—easy hurdles for people who manage to get into the facility, with, say, the cleaning crews.
“Both of [the devices] could have been loaded with software to copy data or scans to an outside location,” Rob says. “What I’m going to do is inject this malware into any device, and every time something is scanned, it’s going to go to the person who has scanned it, but a copy of it is also going to me [the bad guy].”
Now that he’s bulked up his protection, he asked not to be identified by his full name for this article.
Cyber criminals have become increasingly sophisticated, and all financial services firms are ripe targets for frauds. In 2016, the FBI’s Internet Crime Complaint Center received almost 300,000 complaints for almost $1.3 billion in losses. According to the IBM X-Force Threat Intelligence Index, the financial services sector was attacked more than any other industry that year. The most pervasive scams involve phishing, ransomware, malware and denial-of-service attacks.
Diane Pearson of Legend Financial Advisors in Pittsburgh, says her IT person once told her that someone was trying to break through the firm’s firewall every night. Pearson knows of somebody at another firm who lost her job after succumbing to a phishing e-mail, wiring $50,000 from a client to a fraudster.
The scams don’t have to be terribly sophisticated. The biggest vulnerabilities of financial companies, say security experts, are perhaps not surprisingly their employees. Naïve staffers are most at risk of opening phishing e-mails that allow fraudsters to download malicious software into their machines, taking over their computers and breaking into networks.
The biggest risk is that a hacker will capture an employee’s credentials and then log in externally to third-party vendors, says Benjamin Gordon, the manager of advisory services at Rook Security in Carmel, Ind. “Employees just aren’t educated enough on security, to be perfectly blunt. It doesn’t matter what technology you have in place, what IT team you have in place. If somebody clicks on a malicious link, it’s a problem.”
White Hat Hackers
Rook performs such attacks, (known by their nickname as “pen tests”) for major corporations, including financial institutions, in a variety of packages that include basic vulnerability and software testing as well as more novel physical site breaches.
Gordon and Nat Shere, Rook’s senior information security consultant, say that even before a pen test is done, they would recommend that smaller firms do vulnerability scanning with software that costs a couple of thousand dollars a year for a license. “Going further is the pen test itself,” says Shere. “We would perform reconnaissance over the environment and look for credentials that had already been compromised through other attacks.” The pen test is meant to prove that a suspected vulnerability could actually be exploited.
After that, the fun cloak and dagger stuff begins in which the hackers (with permissions from business owners) don costumes and try to fool staff by slipping into the physical locations themselves. Says Shere, “We have posed as a maintenance crew, as fire extinguisher inspection agents, insurance agents, FedEx employees. And that gets somewhat involved … having costumes related to those personas. Creating e-mails, creating fake IDs.” The first thing they do during a physical attack is recon, some of which is fairly unsophisticated—walking around buildings inconspicuously to get a sense of what the entry points are, finding out whether there are badge readers or cameras. The Rook team might loiter around the back of a building to see if they can sneak in when somebody leaves a door open.
A lot of times the owners will set flags throughout the building, Gordon says, challenging Rook to break through different levels of security or into certain areas, like the server room.
Recently, says Shere, the firm was contracted to go into a client’s large data center in Texas. “We dressed up as though we were from the fire department. We had some clipboards; we had some very official looking outfits. And we came in and said we are here to inspect the fire extinguishers to make sure they are still up to code.” The person at the front desk called the manager. “We had a fake printed-out e-mail from a supervisor who was not there at the time saying it was OK.
“The manager ended up giving us a full access key to the entire building so that we could go floor to floor inspecting all the fire extinguishers. So we did that, wandering around on our own and basically taking pictures of all the various network and computer hardware.”
Other times, Rook finds out stuff about its clients on the internet. After finding out that an employee of one firm had just gotten a performance review, “we sent e-mails to around 50 to 75 of their employees with an attached document that said, ‘Here’s the results of your performance review.’ And we had nearly 60% to 70% of them download and try to execute this malicious file that gave us access to their computers.”
The firm also does phone attacks—posing as help desk or HR staffers—asking employees to reset their passwords. “It’s amazing what you can find on the internet,” Gordon says, “in terms of what a company is doing and who works there, and we can tailor our attack plans based off that information.” Hackers can find out who works in HR on LinkedIn, and send fake e-mails to staffers spoofing real human resource names.
The cost for RIAs looking for a pen test depends on what they want Rook to do—they can do it for under $10,000, says Gordon, especially if the client wants to check just one location. The firm provides step-by-step guides for remediation. Often this means beefing up e-mail security, training staff and putting a process in place (if, say, fake fire inspectors show up).
Many hackers work by cross-checking all the stuff available on the internet, especially on the dark web. Greg Fulk, a COO at Valeo Financial Advisors in Indianapolis, asked Rook to test one of its custom applications.
“They will try to guess usernames and passwords,” Fulk says, “and anytime these great big public websites are hacked something like Yahoo, they are going to try to find somebody in the Yahoo hack of 2013 who has the same credentials as one of my employees.” That employee likely uses the same password at work that he or she uses to shop for Christmas presents at Home Depot or Amazon, he says. Rook was able to find those employee credentials on the dark web and try them on Valeo’s site.
Pearson at Legend Financial says that her firm has been looking into a pen test, but that there’s a bit of a learning curve. The expense of the test aside, the scope is often too broad or nonspecific for a registered investment advisor, she says.
“With the package that we’re looking at doing, it’s probably going to cost us $10,000 to start with,” she says. Legend also had a problem with its insurance—“they won’t give us parameters of what we should be doing to be considered a better risk.”
Still, she thinks Legend is ahead of the curve, and she sees few other RIA firms even looking into these tests. Phishing and ransomware are the two biggest threats, she says. Legend has tackled that problem by making sure all e-mail comes into the company’s one server—which is not connected to its network. That provides a level of security.
Legend also sends cybersecurity questionnaires to outside vendors who will have access to its system—something she says not all advisories do. Third-party software developers pose big risks.
A lot of third-party web developers are coding for functionality for the end user, say Rook’s Gordon. They are not coding with security in mind.
Pearson says there are steps you need to take if you do face a breach. “One of the things we learned up front is you don’t automatically just reach out to your clients and say, ‘Hey, somebody broke into our system.’ There are channels that need to be followed. You need to involve the police. In some cases, you might also need to be involving the FBI.”
Jenna Holm at Accredited Investors, which had $1.6 billion in AUM at the end of last year, said her firm has been doing vulnerability testing for a couple of years and does it annually. “Costs for a small business is anywhere from $5,000 to $20,000 and it really depends on how thorough a job the company is doing.
“So many companies focus on perimeter security,” Holm says, “but firms can tend to neglect internal security. If someone actually gets into your network by compromising an employee’s computer, what is actually in your file folder structure? What’s on your network? What would they have access to?”
Such analyses should prompt you to ask what you can get rid of—perhaps old documents and screen captures. That prompts further questions: Does your firm have a data retention/destruction policy? Should some employees lose access to drives or applications they aren’t using?
Karen Novak, the COO at Pershing Advisor Solutions, and Nina Weiss, the chief compliance officer at the firm, say they have managed to kill bad transfers in the cradle and save the advisors by freezing funds at the bank. Often, fraudsters have taken over client e-mails and signatures, and then pose as the clients trying to get someone at an advisory to wire them money. “In our role of custodian, we are recipients of those requests,” says Novak.
She says the fraudsters try to make false transfers sound urgent, and the weak link is the ever-helpful staffer who just wants to please customers and approve the transfer.
“For an inexperienced organization,” Novak says, “or one firm that may not be properly staffed or properly trained, it’s very easy to get somewhat blindsided or err on the side of client service rather than maybe take a step back and take that extra step to ensure they are validating that the client is in fact their client.”
Rick Brooks, the CIO at Blankinship & Foster in Solana Beach, Calif., which manages half a billion or so and has 12 people on staff, says that smaller firms do have options and that many tests are cheaper than you think.
The firm this year began contracting with a pen testing firm through its IT consultant that costs $50 a quarter. “They give us a report that shows there are no server ports open, there’s nobody on the network accessing the network that we don’t recognize.” It’s not a white hat hack attack, but it does let the firm know who might be testing it.
“I think most firms our size sort of assume that we’ll fly under the radar [of hackers],” Brooks says. “The biggest concern for us is that clients’ e-mail gets hacked or spoofed and we wire a half million dollars to Nigeria by accident.” So the firm has policies and procedures in place when a client asks for money, during a phone call, for instance. “But it’s always in our minds that we are one phone call away or one click away from a serious disaster.”