30 October 2020
On September 15th, the SEC issued a Risk Alert to address a method of cyber-attack that is more sophisticated yet increasingly accessible to attackers: “credential stuffing.” We’re getting close to Thanksgiving, but that’s not the direction the SEC is going. This method of cyber-attack involves using compromised client login credentials to gain unauthorized access to confidential client data, and potentially steal assets or personally identifiable information (“PII”). Per the SEC, “Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from the dark web and then use automated scripts to try the compromised usernames and passwords.” Many of these valid credentials are obtained from data breaches.
So how can you, as an Investment Advisor, proactively protect your client accounts and mitigate the risk for your firm as a whole? We will review OCIE’s observations and address potential practices for implementation!
The SEC’s Observations
Credential Stuffing attacks are increasing among Investment Advisors and if firms fail to address the risk adequately, OCIE has seen the attacks result in loss of customer assets and unauthorized access to customer information and network and system resources. Internet-facing websites also pose a large risk for firms, as they can be “used by attackers to initiate transactions or transfer funds from a compromised customer’s account.” The PII that is gained in one attack, could be used to manipulate customer accounts on other platforms.
Practices for Implementation
From their exam observations, OCIE generated suggestions for firms to implement in order to mitigate risk and protect client accounts. We dive into them below.
Policies and Procedures
SCS and OCIE preach the same mantra – “Look within thine own policies as your first line of defense,” or something along those lines. You know the drill. It is critical to address the safeguards your firm has in place and ensure that you have adequately addressed the cybersecurity risks unique to your firm. If it is not outlined for your firm, there will not be a foundation for implementation. OCIE suggests focusing on incorporating firmwide standardization of password requirements, consistent with industry standards, into your policies. To make the attacker’s job harder, for instance, you and your clients will want to consider not using the same password or variations of the same password for multiple online accounts and not use email addresses and full names that are easy to guess as login credentials. Instead, try creating a long phrase with unique symbols and ensure your policies specify the strength, length, and type required for passwords. In addition, OCIE encourages advisers to stay current with NIST guidelines for passwords. For instance, both NIST and OCIE note that password changes are actually not required unless there is evidence that an account has been comprised.
Multi-Factor Authentication Considerations
The other critical piece for your cybersecurity suite is Multi-Factor Authentication (“MFA”). We have already encouraged this for many of our clients and use it ourselves, as it creates an additional line of defense alongside a strong, unique password. If you are not already familiar, this method will require you to login with your credentials and it will provide a secondary verification method that you must enter in order to gain access to your account. This is especially critical for any applications or systems you use that contains PII. OCIE states, “Properly implemented, MFA can offer one of the best defenses to password-related attacks and significantly decrease the risk of an account takeover.”
MFA often requires your mobile phone in order to send the verification code, but you may want to take note that this is only as worthwhile as the cybersecurity protection you have on the device and your mobile phone provider. Your firm should consider mobile device management software that allows phones to be wiped clean if lost or stolen and set parameters for phones used for business purposes, such as requiring a password to access the device. OCIE warns to be aware of any instance in which your phone locks up or no longer works, as foul play could be afoot.
It is also worth noting that MFA is not fool-proof and that attackers can still identify valid client accounts on your website and those accounts could become targets for future manipulation. Attackers may try to send the verification code through other means, such as phishing emails, and attempt to access the information regardless. Hence, phishing email simulation campaigns and training are also a critical component for your firm against cybersecurity attacks.
CAPTCHA & Additional Controls
The key in credential stuffing is the automation of the attack. To help combat this, you might want to consider asking if users trying to access a login are humans! A Completely Automated Public test to tell Computers and Humans Apart (“CAPTCHA”) may sound like a science-fiction-esque control to put in place, but it is a reality in 2020 and a very effective safeguard, as automated scripts cannot select an object in a group of pictures or words within a fuzzy background.
Another, perhaps more manual, process to put in place is the monitoring of login attempts or failed login attempts over a given time period. OCIE noted that this monitoring provides the Investment Advisor with information associated with the login, such as location, language, and browser used. The Investment Advisor can then see if multiple attempts to login, using the same parameters occurred in a short period of time, which could indicate a potential attack. Firewalls can also be a very effective tool in preventing damage if a computer is taken over. If you have the resources to dedicate as well, it may be worthwhile to monitor the dark web for lists of leaked IDs and passwords to see which accounts may be vulnerable to attack.
We continue to hear about cybersecurity in the compliance space, and for good reason. It can be daunting to stay focused on the multitude of areas your firm needs to secure and protect, but it is vital, as the skills of bad actors become increasingly creative and refined. Stay vigilant and arm yourself with information that you can put into practice within your firm and recommend to your clients. Ensure that you have proper training for your staff and continue to prioritize protections for the cyber aspects of your business. SCS has also collaborated with Drawbridge Partners, LLC to conduct a live webinar event on November 10, 2020 all about Cybersecurity in the compliance space. If you would like to join, you can register here or send us an email! As always, feel free to reach out to us with any questions or concerns.