The lessons to learn from the JP Morgan hack?

The lessons to learn from the JP Morgan hack?

Suspected Russian hackers, international intrigue and one of the biggest banks in the world, the latest security scandal to hit financial services has all of the necessary James Bond style elements.

The news that JP Morgan had no less than 90 servers taken over and data on 76 million households and businesses (approximately two thirds of all households in the USA) stolen in a recent hacking incident has generated incredulity worldwide.

Then we learn that nine other unnamed financial institutions apparently have been attacked by the same group. How could some of the most well-funded banks be so susceptible to online attack?

It also raises a number of questions in our futures and options environment where we have been (as far as we know) largely immune from these type of issues yet members and vendors are connected to at times 50+ global markets and sometimes are poorly protected from internet based threats.

Only one of my online financial services requires two factor authentication – an insanely small number. This is where you require something you know and something you have (such as a dongle) in order to authenticate yourself to the service.

Are you really who you say you are? This technology, which was an expensive implementation five years ago is commonplace now and there are numerous solutions which replace the username & password combination which is so ridiculously poor in its security paradigm.

Putting aside the trader’s access to a trading system, which should be uppermost in people’s minds, the connectivity of the trading systems to the matching engines at the exchange in turn is usually by simple username and password.

Rarely do exchanges nowadays lock-down access to a certain network path by the physical connection, an issue in the expanding world of DMA.

I always thought that the vendors would be the weakest link in the chain as far as security in the connectivity game is concerned but it seems not.

One of the biggest banks in the world has been compromised – what does that say for some of the less well funded players, both small brokers and buy side, especially in smaller, more esoteric markets which still have the same unfettered access to the matching engines as the major banks.

How many mnemonics does your firm have? How many are logged in right now? They should all be – or they should be disabled. Usually you can’t log in twice – which is one of your main defences. And they should be logged in for every minute the exchange is open – or else you open yourself up to possible attack. How recently have the passwords been changed on them – the exchanges seldom mandate this - and how widely known or distributed are these passwords and keys?

How do your vendors secure your credentials – do you send them by clear-text email? Do they in turn copy and paste them into their incident & change management systems? How many of these mnemonics are lying around unused in the industry. How many internal staff have access? Do they all need it? Are pre-production or staging systems protected in the same way that production systems are?

How many trading firms (especially the small ones) and vendors are regularly security audited? A few have adopted SSAE16 audit standards and so are held to a higher account. However, many aren’t – and our industry is only as strong as its weakest link.

Security auditing services, also known as “white hat hackers”, are mainstream now and remarkably affordable. Minerva from NCC for example will do a daily scan of your perimeter network to check for ports left open, the IT security equivalent of leaving your back door unlocked.

How many firms have implemented true “big data” technology such as that of Splunk which, when properly implemented, can provide valuable insight into issues in real time and assist no end with the diagnosis after the fact.

Smaller firms or vendors cannot afford the services of high quality and highly knowledgeable security staff - but they should.

By way of reference, in an annual letter to shareholders in April 2014, JPM announced that by the end of the year it was planning to spend a quarter of a billion dollars a year on cyber security with a team of 1,000 workers.

Your reputation and your customer data are the most valuable assets you have and security problems are real.

Hamish Purdey is non-executive director at Gresham Computing plc and was most recently Chief Executive at FFastFill plc, a SaaS provider of trading, clearing & settlement services for exchange traded derivatives. He can be contacted at hjpurdey@gmail.com

Hamish will be speaking at the upcoming FOW Derivatives World London Debates on December 9. For more information and to register, click here.