@DXWorldExpo Authors: Pat Romanski, Elizabeth White, Zakia Bouachraoui, Yeshim Deniz, Carmen Gonzalez

Blog Feed Post

Group in position to know warns of significant cyber risk to our financial systems


beyondthehorizonIf you are in the financial industry of course you know about the DTCC. But if you are from outside the industry you should also be tracking these guys. They can inform your strategic technology direction. More about why is in this post.

The DTCC is the Depository Trust and Clearing Corporation, a group that operates to close the books and clear transactions throughout the finance world. They touch most equities, bonds (corporate and municipal), mortgage backed securities, money market funds and many derivatives of these instruments. They process mutual funds and insurance transactions. They are a core piece of our financial system and the amount of information they process, daily, is staggering.

They have also long been community players. I first worked with them when the concept of ISACs were established. They remain engaged in multiple collegial community activities. Clearly they know that it takes a team to track and mitigate the current cyber threats.

The DTCC has just published a paper you should be aware of. The paper is titled Beyond the Horizon: A White Paper to the Industry on Systemic Risk, In it the DTCC identifies a number of emerging trends that could  impact the industry’s ability to protect against new and unidentified threats to the financial system.

There are many risks examined. Cyber security is  key among them. From the report:

Cyber Security: This issue has emerged as arguably the top systemic threat, facing not only the global financial  markets and associated infrastructures, but also world governments and military establishments. DTCC places an extremely high organizational focus on mitigating this issue and our Chief Information Security Officer’s strong industry engagement and leadership underscore that commitment. DTCC has robust internal cyber security policies and procedures and actively participates in industry-coordinated exercises aimed at increasing resiliency against cyber attacks. Despite all of these efforts and given the diverse and global nature of cyber attacks, DTCC does not expect this risk to dissipate significantly in the near term.

From the DTCC perspective, they see key cyber security threats as:

Risk of a Distributed Denial of Service (DDoS) attack: Objective: To cause market disruption by preventing business transactions (e.g., affect clearance, settlement and similar core functions).
Risk of an attack against systems containing transaction records: Objective: To cause market disruption by deleting, modifying or corrupting books and records of the  financial industry.
Risk of disclosure of restricted, confidential, Material Non-Public Information data via compromise of internal systems: Objective: To cause loss of trust in the U.S. financial systems, insider trading and other forms of market manipulation.

More context from the report:

DDoS Attacks: In the last 12 months, DDoS attacks against financial institutions have dramatically increased. DDoS attacks typically attempt to flood the bandwidth and network connectivity between a financial institution and the broader Internet. Such an attack is carried out by sending a large volume of requests from compromised machines to the institution’s website. Prior to last year, these attacks were launched from infected desktops and home personal computers. Recently, these attacks have been launched from compromised servers (up to ~6000 servers), which have significantly more capacity and outgoing bandwidth. For example, prior to 2012, the peak volumes of DDoS attacks against financial institutions were approximately one to two gigabits per second (Gbps). Recent attacks have peaked at close to 150 Gbps, or approximately 15 times the provisioned bandwidth at a typical financial institution. The attacks have been unrelenting and are getting more  sophisticated by the day. Financial institutions are spending more and more of their resources in attempts to  ward off these attacks.

Advanced Persistent threats (APT): APT attacks are stealthier than DDoS attacks because APT attacks are not public. Their objective is not to disrupt Internet-facing communications, but rather to infiltrate an institution’s systems and monitor or ex-filtrate data to a server outside the firm. APT attacks are very difficult to detect, unlike  DDoS attacks, which are visible and often publicized prior to an attack. In an APT attack the infected malware could be sent by a variety of means including e-mail attachments or compromised websites. The attackers often use social networking tools to perform reconnaissance and identify key employees at a firm. The attackers then compromise the machines of those individuals, and propagate horizontally and vertically within the target organization.

There are broad recommendations in the report that deserve your study. They are recommendations by thinkers who have lived these challenges and know what they are talking about.

A concluding DTCC thought regarding cyber attacks:

DTCC expects cyber attacks to escalate and become more sophisticated in the future. Attackers benefit from their anonymity and lack of attribution as well as their existence outside U.S. and E.U. jurisdictional boundaries, all of which minimize the probability of prosecution. Due to the asymmetric nature of the  Internet, it is very inexpensive for an attacker to launch an attack and very expensive for the defender to defend against those attacks. Protection from these risks can be enhanced through closer information sharing, increased real-time exchange of threat intelligence and stronger prosecution across international boundaries. DTCC will engage the industry to determine actions that can be taken jointly to reduce the risk. Strategies such as leveraging DTCC’s private network to communicate in case of network disruption and enabling the industry’s small and medium participants to utilize the private network are under consideration.

For more on these and other risks see: Beyond the Horizon: A White Paper to the Industry on Systemic Risk

When it comes to technologies that can help mitigate these threats, in my opinion, full spectrum, defense in depth is the way to go to (protect what you can at the national level and work to ensure rule of law internationally, but work to enhance ISP quality and ability to prevent, defend your own networks, protect servers and devices, and understand your people are your first line of defense. Also understand that the bad guys will get in so you must be able to detect, respond and recover).  As you look at your full spectrum defense be sure to evaluate:

  • Centripetal Networks: Enabling telecom providers to deliver “Clean Internet” and providing the financial industry with new means to keep cyber criminals out of networks.
  • Invincea: Providing enhanced endpoint protection and shipping in millions of devices. Protection at the first line of defense, mitigating threats due to user error and deceptive malware.
  • Triumfant: Discover when any PC goes out of its normal state and act on your policy to return it to state.
  • Fixmo: Bringing security and risk management to every mobile device. Protect your enterprise data and manage your devices.
  • Recorded Future: Leverage the power of the Internet to track cyber threats and vulnerabilities and achieve quicker shared situational awareness.
  • Cloudera: Providing enhanced abilities to operate over all data to understand, including fast analysis capabilities relevant to the cyber threat.


Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

DXWorldEXPO Digital Transformation Stories
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the competition, or worse, just keep up. Each new opportunity, whether embracing machine learning, IoT, or a cloud migration, seems to bring new development, deployment, and management models. The results are more diverse and federated computing models than any time in our history.
Data center, on-premise, public-cloud, private-cloud, multi-cloud, hybrid-cloud, IoT, AI, edge, SaaS, PaaS... it's an availability, security, performance and integration nightmare even for the best of the best IT experts. Organizations realize the tremendous benefits of everything the digital transformation has to offer. Cloud adoption rates are increasing significantly, and IT budgets are morphing to follow suit. But distributing applications and infrastructure around increases risk, introdu...
Today's workforce is trading their cubicles and corporate desktops in favor of an any-location, any-device work style. And as digital natives make up more and more of the modern workforce, the appetite for user-friendly, cloud-based services grows. The center of work is shifting to the user and to the cloud. But managing a proliferation of SaaS, web, and mobile apps running on any number of clouds and devices is unwieldy and increases security risks. PJ Hough, Citrix Executive Vice President and...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
Is your enterprise growing the right skills to fight the digital transformation (DX) battles? With 69% of enterprises describing the DX skill drought as being soft skills, rather than technology skills, are you ready to survive against disrupters? The next wave of business disruption is already crashing on your enterprise as AI, Blockchain and IoT change the nature and location of business. Now is the time to prepare. Drawing on experiences with large and midsize enterprises, Marco Coulter t...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
Where many organizations get into trouble, however, is that they try to have a broad and deep knowledge in each of these areas. This is a huge blow to an organization's productivity. By automating or outsourcing some of these pieces, such as databases, infrastructure, and networks, your team can instead focus on development, testing, and deployment. Further, organizations that focus their attention on these areas can eventually move to a test-driven development structure that condenses several l...
The graph represents a network of 1,329 Twitter users whose recent tweets contained "#DevOps", or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC. The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC. Additional tweets that were mentioned in this...
Over the course of two days, in addition to insightful conversations and presentations delving into the industry's current pressing challenges, there was considerable buzz about digital transformation and how it is enabling global enterprises to accelerate business growth. Blockchain has been a term that people hear but don't quite understand. The most common myths about blockchain include the assumption that it is private, or that there is only one blockchain, and the idea that blockchain is...